Two security bugs have been identified in Intel processing chips, which could allow hackers to steal personal information from computer systems.
Google researchers found that one of these “serious security flaws”, named “Spectre”, was found in chips made by Intel, AMD and ARM.
The other bug, known as “Meltdown”, reportedly only affects chips made by Intel alone.
>See also: Severe vulnerability discovered in WhatsApp
“Many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits,” said Intel.
The problem is so extensive that the researchers who found the bugs, suggest chips from as far back as 1995 have been affected.
Intel provides chips to about 80% of desktop computers and 90% of laptops worldwide.
The technology industry know about this gaping flaw for months, and it hoped to solve the problem before details were made public – somewhat echoing the uber data breach cover up.
However, the UK’s National Cyber Security Centre has said that there is no evidence these security flaws have been exploited. Indeed, Professor Alan Woodward, from the University of Surrey said that it “is significant but whether it will be exploited widely is another matter.”
Intel have said that software updates have been introduced or will be available in the next few days, while ARM has said that patches have been shared with its customers, which include smartphone manufacturers.
AMD said it believed there was “near zero risk to AMD products at this time”.
Commenting on this, Craig Young, security researcher with Tripwire’s Vulnerability and Exposures Research Team, said:
“The Meltdown and Spectre vulnerabilities leverage side channel information leakage to effectively undermine some of the most fundamental security constraints employed by modern computers. In each case, an attacker can run code on an affected processor which leaks information stored in the computer’s memory. This includes things like passwords and cryptographic keys as well as information needed to more effectively exploit other vulnerabilities.”
“Meltdown is arguably the more serious of the two vulnerabilities and requires considerable operating system changes to mitigate. A countermeasure against another side channel attack was published over the summer and titled KAISER. In response to the newly discovered side channel, all major OS makers are now incorporating KAISER based countermeasures including KPTI in Linux.”
“Meltdown could have devastating consequence for cloud providers as Google researchers were able to demonstrate reading of host memory from a KVM guest OS. For a cloud service provider, this could enable attacks between customers.”