The flaws are found in virtually all CPUs made by ARM, Intel, and AMD, which combined cover the majority of the global computer processor market, and could give hackers an open door to stealing data. The flaws were discovered by security researchers at Google’s Project Zero and academics and other researchers working in the industry.
Spectre and Meltdown affect almost every smartphone, tablet, and PC from every brand across nearly all operating systems. Cloud computing services are also affected.
Daniel Gruss, a researcher from Graz University of Technology in Austria and one of researchers that discovered Meltdown, says it is “probably one of the worst CPU bugs ever found.” This bug affects first and foremost Intel processors made since 1995, with the exceptions being Atom processors made before 2013, and its Itanium server chips.
Spectre affects many processors made by a wide range of companies, including ARM, AMD, and Intel. This flaw exploits the speculative execution performance function found in modern CPUs, letting hackers trick applications into coughing up information. The bug allows an attacker to read memory they otherwise wouldn’t, and shouldn’t, have access to, such as other processes, virtual machines sharing the same system, and also across other assorted permission boundaries.
Gruss notes that this flaw is harder for hackers to take advantage of but at the same time more difficult to fix. Looking at the future, this makes Sepctre more of a longer-term nuisance.
Here’s what companies are doing about the bugs
ARM indicates that patches have been distributed to its partners.
AMD stated that it believes that there “is zero risk to AMD products at this time.”
Google has said users of its Android phones are protected as long as they download the latest security updates. Its cloud services are also affected, and the company has stated that it has updated its G Suite and cloud services, although customers may need to take additional measures regarding other Cloud Platform systems and for its Compute Engine.
Apple has released mitigations against Meltdown. For Spectre, they say they plan on releasing mitigations for their Safari browser in the next few days. Meltdown and Spectre have affected all of its iPhone, iPad, and Mac products, but not the Apple Watch, according to Apple.
Microsoft has also released patches for its devices and services, such as its Surface tablets and its cloud services. The BBC notes that, “Windows users should be aware that third-party anti-virus software may need to be updated before applying operating system patches.”