All week, the tech world has been piecing through rumors of a potentially catastrophic flaw in an entire generation of processors — but with all developers subject to a non-disclosure agreement, there were few hard facts to go on.
Now, new details have emerged on how severe and far reaching the vulnerability truly is. ZDNet and the New York Times are reporting that two critical vulnerabilities — dubbed “Meltdown” and “Spectre” — affect nearly every device made in the past 20 years. The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. The result, one researcher told ZDNet, is that "an attacker might be able to steal any data on the system.”
The researchers have created a website with more details on Meltdown and Spectre - https://meltdownattack.com/. Its FAQ, like many security-related FAQs, is simultaneously comforting and hair-raising. It starts with “Am I affected by the bug? Most certainly, yes.” It notes that there are patches for Meltdown for Windows, Linux, and macOS. It also notes that that Spectre, though harder for a hacker to implement, is more problematic: “As it is not easy to fix, it will haunt us for quite some time.”
One vulnerability could affect nearly every device made in the past 20 years - computers, servers, and phones
Intel chips have been at the focus of initial research and subsequent reporting on the vulnerability, although it remains unclear whether non-Intel chips could be susceptible. In a public statement, Intel said “many different vendors’ processors and operating systems... are susceptible to these exploits.” AMD has denied any of its processors are vulnerable, although Google researchers say they’ve demonstrated a successful attack on AMD’s FX and PRO CPUs. ARM has also confirmed that its Cortex-A processors are vulnerable.
Google’s Project Zero released further details on the bug, which appears to affect both Android and ChromeOS devices, although Google claims exploiting the bug is “difficult and limited on the majority of Android devices.” The next version of Chrome, to be released January 23, will also be altered to be mitigate the attack, and enabling the existing “site isolation” feature can also provide some protection.
Microsoft has also released an emergency patch to all devices running Windows 10, with further updates planned. There have also been rumors of a partial MacOS fix deployed with version 10.13.2, although the extent of the changes remains unclear. Apple did not respond to multiple requests for comment.
It’s also unclear how the various patches will affect processor performance. Some estimates for some Linux-based systems ranged as high as seventeen percent, although tests of other applications saw little to no effect. Nevertheless, the early impact appears significant, with slowdowns depending largely on the workload of the given device.