Meltdown, Spectre: What We Know About the Major Cyber Security Flaws and How to Protect Yourself
The discovery of massive cyber security flaws affecting nearly every computer and device has sent developers across major platforms around the world racing to roll out fixes for the bugs.
Researchers from Google, academia and cyber security firms discovered the two flaws, now known as “Meltdown” and “Spectre” and computer chips that are part of nearly all modern computers.
What are Meltdown and Spectre?
Keep up with this story and more by subscribing now
Meltdown is a flaw affecting laptops, desktop computers and internet servers with Intel chips, which allows hackers to steal data, including passwords that have been saved in Web browsers.
The flaw lets hackers circumvent the hardware barrier that exists between applications run by users and the computer’s memory, allowing them to read the system’s memory, according to the Register, which first reported the flaws.
While the defect is specific to Intel, Intel and ARM have insisted that the bug was not a design flaw, but that users will be required to download a patch and update their operating systems to fix the issue.
Read more: Hacked sex robots could murder people, security expert warns
The three major operating systems, Microsoft Corp, Apple Inc and Linux, are all issuing updates that should serve as a fix for the vulnerability.
Spectre is a bug affecting chips in smartphones and tablets, as well as computer chips from Intel and Advanced Micro Devices Inc. that allows for hackers to manipulate apps into leaking sensitive information. While Spectre has been branded less dangerous than Meltdown, it is expected to be more difficult to patch.
According to Google, a disclosure date for the security flaws had been coordinated for January 9, but researchers decided to bring the bugs to light ahead of that date “because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
How serious are these security flaws?
Daniel Gruss, a researcher from Graz University of Technology who helped discover the Meltdown bug, told Reuters the flaw was “probably one of the worst CPU (central processing unit) bugs ever found."
Gruss warned that Meltdown is the more serious bug of the two, but said it could be stopped with software patches.
The bug affects the so-called kernel memory on all Intel x86 processor chips that have been manufactured over the past decade, according to the Register.
This means users of applications could discern the content of protected areas on the chips, making it possible for hackers to take advantage of other security flaws or expose secure information, including passwords, which could mean compromising not only individual computers, but also entire server networks.
Spectre is expected to be more difficult to patch and will likely present a bigger problem in the long term, Gruss said. However, he added that the flaw is more difficult for hackers to take advantage.
British cyber security expert Graham Cluley told Newsweek that while consumers should be concerned, their priority should be on making sure their systems are up to date.
"Any security flaws are troubling, and these are clearly critical vulnerabilities, but there is little that consumers can do other than wait for security patches to be released and then apply them as a matter of priority. Don't panic, make a cup of tea, install patches and security updates," Cluley said.
He added: "The good news is that this particular issue has been examined closely behind closed doors in recent months, and updates are either already out or on their way."
How to protect yourself
Consumers have been advised to check with their device makers and operating system providers for all security updates and install any updates as soon as possible.
Alphabet Inc.’s Google has said Android phones with the most recent security updates should be protected and users of web services like Gmail should also be safe.
Google has posted a full list of affected products and their uppdated security status here.
Researchers have said an update is on the way for Apple laptops and desktops. It is still unclear whether the company’s iPhones and iPads are at risk.
Chromebook users who have older versions will need to install an update, while Chrome web browser users are expected to receive a patch on January 23.
Major cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure say they have already been able to patch the majority of their services and will be releasing fixes for the rest in the near future.
While patches are being released by developers at a rapid pace, CERT has gone so far as to recommend that users either apply updates to address the security flaws or replace their CPU hardware entirely.
"The underlying vulnerability is primarily caused by CPU architecture design choices," the computer emergency response team has said on its website. "Fully removing the vulnerability requires replacing vulnerable CPU hardware."