Meltdown and Spectre chip security scare: Should you be afraid?

Alphabet's Google Zero Team in collaboration with academic and industry researchers from different countries have uprooted two security flaws, Reuters point out. Known by the names Spectre and Meltdown, the flaws affect chips from Intel and Arm. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.

"Intel has a tool you can use to check if your system is vulnerable to the bugs", Kaspersky Lab's GReAT Senior Security Researcher, Ido Naor, advised.

While initial coverage of the Meltdown vulnerability said that fixes could bring hits to performance, Apple says that neither macOS nor iOS suffer from a "measurable reduction in performance" in benchmarking or in web browsing testing. Microsoft said that a "majority" of its Azure cloud services used by businesses had already been patched and protected and that it is issuing a Windows security update. That said, exploiting this bug wouldn't leave traces so it's hard to know if it's being used "in the wild", as security researchers say. The company has also issued updates on iOS, MacOS, tvOS to protect customers against these flaws.

Once you've run the file or added the registry key manually, your PC will receive the patches for the Meltdown and Spectre vulnerabilities. In the meantime, software vendors are releasing patches to prevent attackers from exploiting these vulnerabilities.

Companies scrambled yesterday (Jan. 3) to release patches for Windows and Android devices, with speculation mounting that the flaws, which apply to most modern processors, impacted Apple's devices, too.

Moritz Lipp of Austria's Graz Technical University is one of the researchers who found the flaw.

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. "Intel has begun providing software and firmware updates to mitigate these exploits", Intel said in a statement. The company also downplayed concerns about slowed performance, noting that for the "average computer user" the impact should not be significant and will lessen over time.

But there will be stumbling blocks: On Thursday, some Microsoft Azure customers reportedly said machines failed to come back online after receiving a patch.

The vulnerability first disclosed by the Register noted that the bug could allow cyber-criminals to steal information stored in the kernel memory of "computer chips" on a computer, servers in data centres and even those devices running cloud computing services.

Google has published a list of all its devices and software that might need updates and what users have to do to install them, though many (like Chromebooks) will self install.

Apple was one of the last major computer firms left to comment on the newly discovered flaw, although it was already widely believed that its devices could be affected.

  • Joey Payne