Thursday, January 4th, 2018
Nearly all computers worldwide – and many other devices – have been exposed to security flaws which leave them vulnerable to attacks by hackers.
Researchers discovered gaps in security stemming from central processing units – better known as the chip or microchip – which could allow privately stored data in computers and networks to be hacked.
So far no data breaches have been reported. So is it a big deal and what does it mean for you?
There are two separate security flaws, known as Meltdown and Spectre.
Bryan Ma, a senior analyst at technology consultancy IDC, says data centres and devices that connect to the cloud are also at risk.
First, let’s not panic. The UK’s National Cyber Security Centre (NCSC) said there was no evidence that the vulnerability had been exploited.
But now that it has been made public, there’s concern the bugs are discoverable and may be taken advantage of.
The BBC understands the tech industry has known about the issue for at least six months – and that everyone involved, from developers and security experts had signed non-disclosure agreements. The plan, it seems was to try to keep things under wraps until the flaws had been fully dealt with.
Consider the figures for personal computers alone: there are 1.5 billion in use today (desktop and laptop combined) and around 90% are powered by Intel chips, IDC estimates. That means exposure to the Meltdown bug is potentially huge.
The bugs allow hackers to potentially read information stored on a computer memory and steal information like passwords or credit card data.
Technology analyst Jake Saunders from ABI Research said it was not exactly clear what information might be at risk, but as the security gaps had been exposed “the question is whether other parties can discover and potentially exploit them”.
Device makers and operating system providers have had time to try to fix this. They are pushing out security updates, or patches, which will protect your computer, tablet or phone against a breach that uses the Meltdown vulnerability. Users should install these updates as soon as they are made available.
Microsoft, Apple and Linux, the three major operating system makers, are all issuing patches.
Apple has not said precisely when patches for earlier versions of macOS will be available, but the latest version, numbered 10.13.2, is safe.
Microsoft released an emergency Meltdown patch for Windows 10 on 4 January, it will subsequently be applied to Windows 7 and 8 machines.
Google said Android phones with the most recent security updates are protected, and users of web services like Gmail are also safe. Chromebook users on older versions will need to install an update when it comes. Chrome web browser users are expected to receive a patch on 23 January.
Security updates are also in the works for Apple laptops and desktops, though it is not clear whether iPhones and iPads are vulnerable.
Cloud services for businesses, including Amazon Web Services and Google Cloud Platform, say they have already patched most services, and will fix the rest soon.
Spectre is thought to be much harder to patch and no fix for it has yet been made widely available.
Some researchers have claimed that any fixes could slow down computer systems, possibly by 30%, but Intel believes these claims are exaggerated. It said any performance impacts were “workload-dependent” and the impact for average computer users “should not be significant”.
IDC’s Mr Ma agreed that for most regular users – who rely on their computer for web browsing and email – the security fixes were unlikely to slow their computer.
News about the bugs comes at an awkward time for the industry. Next week, CES, the giant consumer electronics trade show, kicks off in Las Vegas.
Many attendees will be wondering how the new products on display will be affected, and marketing materials detailing speed increases will likely have to be revised.
Experts also think that because Meltdown and Spectre reveal fundamental flaws in how computer chips are designed, there will have to be a serious rethink about how such technology is made in the future.
“It’s huge in the geek world,” wrote computer security researcher Rob Graham on his blog.
“We’ll need to redesign operating systems and how CPUs [central processing units] are made.”