Security analysts have warned that hackers are likely to very quickly add exploit code for these vulnerabilities to their hacking tool set. While the updates for the Meltdown vulnerability has been made available for download from Google, Microsoft, and Apple, the patch for the more dangerous and difficult to plug named Spectre, still remains elusive.
Security researchers disclosed that a newly found set of vulnerabilities could allow hackers to steal sensitiev information from almost every other up-to-date computing device which contains chips from ARM Holdings, Intel Corp and Advanced Micro Devices Inc.
While one of the bugs is specific to Intel chips another has a more side ranging impact as its affects desktops, laptops, tablets, smartphones, and internet servers.
Both ARM and Intel insisted that the flaw is not a design flaw; users will require to download a patch and update their operating system.
“Phones, PCs, everything are going to have some impact, but it’ll vary from product to product,” said Brian Krzanich, Intel’s CEO in an interview with CNBC.
Security researchers from Alphabet Inc’s Google Project Zero along with their peers in academic and industry researchers discovered two flaws.
The Meltdown vulnerability affects Intel chips and allows hackers to bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords.
The Spectre vulnerability on the other hand affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up confidential information.
Security researchers stated Microsoft Corp and Apple Inc have issued patches that users who have been affected by Meltdown can download.
Microsoft declined to comment; Apple did not immediately return requests for comment.
As per Daniel Gruss, a researcher at Graz University of Technology, termed the Meltdown vulnerability as “probably one of the worst CPU bugs ever found”.
In the short term, although Meltdown posses a more serious problem it can be stopped with a patch; Spectre on the other hand which affects a broader range of computing devices, is harder for hackers to exploit but is more difficult to patch in the long term, said Gruss.
“Intel has begun providing software and firmware updates to mitigate these exploits,” said Intel in a statement. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Phil Hughes, ARM’s spokesman said patches have already been shared with the companies’ partners, which include many smartphone makers.
“This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory,” said Hughes.
In its statement, AMD said its chips are also affected by at least one variant of the vulnerability but that can be patched with a software update. AMD said it believes there “is near zero risk to AMD products at this time.”
In a blog post Google said Android phones running the latest security patches are protected, as its flagship Nexus and Pixel phones.
Google also stated Gmail users do not need to take any additional action to protect themselves; however users of its Chromebooks, Chrome web browser as well as many of its Google Cloud services will need to install software updates.
Amazon said, the bulk of its cloud computing service, used by businesses, have been already patched while the rest were in the process of being patched.
As per Dan Guido, CEO of Trail of Bits, a cyber security consulting firm, businesses should quickly move to update vulnerable systems; he expects hackers to quickly develop exploitable code with which they can launch cyber attacks.
“Exploits for these bugs will be added to hacker’s standard toolkits,” said Guido.
“The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid,” said Hans Mosesmann of Rosenblatt Securities while adding the vulnerabilities could hurt the company’s brand goodwill.