What the newly found chip flaws mean for you

Computer chip security flaw could expose users to hackers

Technology companies are scrambling to fix serious security flaws affecting computer processors built by Intel (INTC) and other chipmakers and found in many of the world's personal computers and smartphones.

The two hardware bugs discovered can be exploited to allow the memory content of a computer to be leaked. Such a leak could potentially expose stored passwords and other sensitive data, including personal photos, emails and instant messages.

Researchers at Google's (GOOG) Project Zero and academic institutions including the Graz University of Technology in Austria discovered the problem last year and disclosed it Wednesday.

There's no evidence that bad actors have yet exploited the bugs, but companies from Microsoft (MSFT) to Mozilla said this week they have worked to patch up vulnerabilities to their operating systems and browsers to protect against one of the bugs. But researchers say the other is harder to fix and "will haunt us for quite some time."

Here's a look at what's affected, what's being done about it and whether you should worry.

Intel Inside

Intel is at the center of the problem because it supplies the processors used in many of the world's PCs. Researchers say one of the bugs, called Meltdown, affects nearly every processor it has made since the mid-1990s.

While security flaws are typically limited to a specific company or product, Intel says the problem is "not a bug or a flaw in Intel products" but rather a broader problem affecting processing techniques common to modern computing platforms.

Breaking down the year's biggest software bugs and hacks

Both the chipmaker and Google, which informed Intel about the vulnerability last year, said they were planning to disclose the issue next week when fixes will be available. Tech companies typically withhold details about security problems until fixes are available so that hackers wouldn't have a roadmap to exploit the flaws. But in this case, Intel was forced to disclose the problem Wednesday after British technology site The Register reported it, causing Intel's stock to fall.

Most of the immediate fixes will be limited to the Meltdown bug. The other, Spectre, is harder to fix, but also harder to exploit, making it less of an immediate threat to consumer devices.

Intel also plans to design future chip architecture to prevent the exploits. In the case of Intel's fix, it could slow down the performance of some devices by 30 percent or more. Most users, though, won't see much of an impact, likely only as much as 2 percent, said Steve Smith, head of Intel's data center engineering operations, during a conference call on Wednesday.

Other chipmakers

While researchers say the Meltdown bug is limited to Intel processors, they have verified Spectre as a problem for Intel, Advanced Micro Devices (AMD) and ARM processors. AMD chips are also common in PCs, while ARM chips are found in many smartphones and other internet-connected products, including cars and home appliances.

AMD said there is "near zero risk" to its own processors, either because its chips are designed differently, or security fixes for Microsoft Windows and other operating systems will take care of the problem.

Looking to 2018's digital dangers

ARM Holdings said it's working with Intel, AMD and operating system vendors to address the problem. The ARM design is also used in Apple's (AAPL) mobile chips.

"We are in the process of informing our silicon partners and encouraging them to implement the software mitigations developed if their chips are impacted," ARM said. It also published a support page with more information.

 Apple confirmed in a statement Thursday that Mac computers, iPhones and other iOS mobile devices are affected, but noted, "there are no known exploits impacting customers at this time."

What to do next

There are limits to what consumers can do now to protect their computers.

Advice from the U.S Computer Emergency Readiness Team's was grim. The federal organization said "fully removing the vulnerability" requires replacing the hardware already embedded in millions of computing devices.

That's not to say nothing can be done.

Apple pointed out that "exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device," so it suggested consumers could protect themselves by "downloading software only from trusted sources such as the App Store." 

Consumers can mitigate the underlying vulnerability by making sure they patch up their operating systems with the latest software upgrades. There are already Meltdown patches for Microsoft's Windows, Apple's macOS and Linux. Mozilla says it's also implementing a short-term mitigation that disables some capabilities of its Firefox browser. Google says Android devices are protected if they have the latest security updates.

"If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don't have to worry," security researcher Rob Graham said in a blog post Thursday. "If you aren't up to date, then there's a lot of other nasties out there you should probably also be worrying about."

Graham said fixing the problem will require a major redesign of processors and operating systems, but that's not something most consumers will notice.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.