Meltdown and Spectre are the names of two serious security flaws that have been found in computer processors. They could allow hackers to steal sensitive data without users knowing, one of which affects chips produced since 1995.
What are Meltdown and Spectre?
Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between user-managed applications and the computer's main memory, which is normally highly protected.
Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.
Is it serious?
Yes. Meltdown is "probably one of the worst CPU bugs ever found" according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention.
What types of devices are affected?
Virtually all computing devices affected by Spectre, including laptops, desktops, tablets, smartphones, and even cloud computing systems. Some lower power devices, such as some Internet of Things gadgets, are not affected.
Is it only affecting Intel processors?
Spectre affects all modern processors, including those designed by Intel, AMD and ARM, but Meltdown is currently believed to only affect Intel chips produced since 1995, with the exception of Itanium and Atom chips produced before 2013.
What can be stolen?
The main system, known as a kernel, stores all kinds of sensitive information in memory. This means that bank documents, credit cards, financial data, communications, logins, passwords and secret information could all be at risk due to Meltdown.
Spectre can be used to trick normal applications into giving up sensitive data, potentially meaning that anything processed by an application can be stolen, including passwords and other data.
Is it already used to steal data?
The UK's National Cyber Security Centre said there was no evidence that Meltdown and Spectre are currently being used to steal data, but the nature of the attacks makes them difficult to detect.
Experts predict that hackers will quickly develop programs to launch attacks now that the information is available. Dan Guido, CEO of cybersecurity consultancy Trail of Bits, said: "Exploits for these bugs will be added to standard hacker toolkits."
What can I do about it?
Users can do little to avoid security flaws in addition to updating their computers with the latest security fixes as soon as possible. Fixes for Linux and Windows are already available. Chromebooks upgraded to Chrome OS 63, which launched in mid-December, are already protected.
Android devices that perform the latest security update, including Google's Nexus and Pixel smartphones, are already protected. Updates should be released soon. Users of other devices will have to wait for updates to be sent from third-party manufacturers, including Samsung, Huawei and OnePlus.
On Thursday night, in a blog post, Apple advised customers to update their devices' operating systems and only download software from "trusted sources like the App Store." The company also stated that "there are no known exploits that affect customers at this time."
Will fixes slow down my PC?
While fixes for Spectre are not expected to have a very immediate impact on computer performance, the nature of the fixes needed to protect against Meltdown could have a significant impact.
This is due to the separation of the application and kernel memory required by the various operating systems to prevent the defect from being used to access the protected data. Separating the two memory systems in this way means that tasks that constantly require the kernel for things, such as writing files to disk or sending data over a network, could be significantly slower due to the longer that the processor will take to switch from application memory to kernel memory.
Some early estimates predict a slowdown of up to 30% in some activities. Whether users notice a difference on their computers will depend on what they are trying to do. The game, navigation and general computer activities are unlikely to be affected, but those that involve many writing files can slow down.
Some technologies, such as Intel's Process-Context Identifiers (PCIDs), included with the company's processors since 2013, can reduce the impact of fixes when exploited in the operating system.
Who found it?
Meltdown was discovered by 3 teams, Jann Horn from Project Zero di Google, Werner Haas e Thomas Prescher - Cyberus Technology and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz from Graz University of Technology in Austria.
Spectre was discovered independently by two people, including Horn and Paul Kocher, who worked in collaboration with Daniel Genkin, of the University of Pennsylvania and the University of Maryland, Mike Hamburg of the Rambus technology studio, Lipp and Yuval Yarom of the University of Adelaide and Data61.
Are also cloud services impacted?
The problem is amplified for cloud services such as Amazon's web services and Google's cloud platform, due to the scope of their COMPUTING resources and the potential impact on the performance of fixes.
Amazon said it is in a "small single-digit percentage" of its already protected Amazon Web Services EC2 systems, but that "customers also need to patch their instance operating systems" to be fully protected.
Google also claimed that most of its systems have been upgraded, but that some additional customer actions may be needed for its processing engine and other cloud platform systems.
Microsoft said it is in the process of deploying patches on its cloud systems.