The tech world has been rocked in recent days by news of two major security flaws making nearly every computing device vulnerable to hackers. The issues were detected by researchers from Google Project Zero, a division of Alphabet (NASDAQ:GOOGL) (NASDAQ:GOOG), working with academic and industry researchers from a number of different countries. What was originally reported as a vulnerability specific to processors made by Intel (NASDAQ:INTC) turned out to have much broader implications.
The vulnerabilities were detected sometime last year, and Google reported the flaws to the affected companies between June and July of 2017. Major chip companies and computer makers were working on patches and other security measures to mitigate the threat and say they planned to disclose the issue on Jan 9, 2018, but the story broke on British technology site The Register on Jan. 2.
Here's a rundown of the bugs and how some big tech companies are approaching the problem.
Security researchers found two separate problems that would put devices at risk in different ways.
The first issue, dubbed Meltdown, is a vulnerability that would allow hackers to access the central processing unit (CPU) on a computer or cloud computing platform and steal passwords and other sensitive information. Meltdown is limited to processors produced by Intel, though it affects nearly every chip the company has sold since the mid-1990s. The good news, if you can call it that, is that patches to the operating systems of affected computers will stop potential attacks.
The second issue, called Spectre, is a hardware bug that will be much harder to resolve, as it exists at the level of the chip architecture, although those looking into the matter say it is also much more difficult for hackers to exploit. The vulnerability permits access to sensitive data, but it affects a much broader range of devices and impacts processors from Intel, Advanced Micro Devices, Inc. (NASDAQ: AMD), and privately held ARM Holdings. This vulnerability runs through virtually every modern computing device from desktops to laptops, and smartphones to tablets. The exploit can be blocked by software patches over the short term, but it could slow the affected systems and may ultimately result in the redesign of chip architecture to provide a longer-term fix.
Many fixes were already in place
Apple (NASDAQ:AAPL) has confirmed that virtually all of its devices could be affected. The company reported that it had released patches that address the Meltdown issue in recent updates for iOS, macOS, and tvOS -- all prior to the news reports detailing the vulnerabilities. The operating system for the Apple Watch was not affected by the issue. The company also said that in bench-marking tests, there was "no measurable reduction in the performance" of the devices run by macOS or iOS.
Apple said additional measures to help defend against the Spectre vulnerability would be released in the near future.
Microsoft (NASDAQ:MSFT) issued an update for Windows that would protect users from Meltdown exploits. One potential complication is that the update could encounter problems with certain antivirus software packages. The company is also deploying the measures to its Azure cloud computing platform.
Google, whose researchers helped identify the issue, reported that it had already mitigated the threat for its devices running the latest security updates, and that many weren't vulnerable in the first place. Some users of Chromebooks and Google Cloud services will need to install recently released updates.
Keep your device up to date
The best thing people can do is keep their devices current with the latest updates and security patches. These threats are merely new variations on an old theme. Those that have downloaded the most recent updates are, for the most part, already protected.