New security flaws affect almost every PC on Earth
‘As it is not easy to fix, it will haunt us for quite some time,’ researchers warn
Technology companies are working to protect their customers after researchers revealed that major security flaws affecting nearly every modern computer processor could allow hackers to steal stored data — including passwords and other sensitive information — on desktops, laptops, mobile phones and cloud networks around the globe.
The scramble to harden a broad array of devices comes after researchers found two significant vulnerabilities within modern computing hardware, one of which cannot be fully resolved as of yet.
Experts say the disclosure of the critical flaws underscores the need to keep up with software updates and security patches and highlights the role independent research plays in prodding tech companies to minimize security weaknesses.
The more pervasive flaw of the two, dubbed Spectre, leaves the world’s supply of microprocessors potentially vulnerable to attack, the researchers said.
They have verified that the exploit, which breaks down the isolation between different applications, can affect products made by Intel, AMD and Arm.
“As it is not easy to fix, it will haunt us for quite some time,” the researchers said, explaining why they chose to call the flaw Spectre.
While hackers will find it harder to take advantage of Spectre, it is also more challenging for computer manufacturers to ward off, the researchers said.
There’s no complete software fix against Spectre right now, said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defence company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop malicious behaviour. In the meantime, criminal actors and nation states could further develop the Spectre vulnerability, making attacks easier to execute.
“Right now it’s kind of tricky to take advantage of it,” Daly said. “But it’s not going to stop there. They will improve on it.”
The other flaw, called Meltdown, affects most Intel processors made after 1995. And while security patches exist for devices running Linux, Windows, and OS X, the researchers said, the fix may slow their performance by as much as 30 per cent, according to some estimates.
Intel said in a blog post Wednesday that it has begun providing updates to mitigate the risks posed by the exploits. The company also downplayed concerns about slowed performance, noting that for the “average computer user” the impact should not be significant and will lessen over time.
Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers.
“We are in the process of deploying mitigations to cloud services and released security updates on Jan. 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.
Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have or will soon be updated to protect against the newly disclosed vulnerabilities.