A critical security flaw in Intel chips could make nearly every computer, phone, and server from the last 20 years vulnerable to dangerous bugs. Researchers discovered a flaw in Intel computer chips that could allow hackers to access the most sensitive parts of computers, which would enable them to steal personal information.
Google’s Project Zero, which is a team of security analysts, found the security flaw that affects processors from Intel, AMD, and ARM. The critical vulnerability could allow malicious actors to steal passwords and sensitive information from smartphones, laptops, computers, and the servers that store so much of your personal information. There are two bugs that exploit this flaw and they are known as Meltdown and Spectre. Potentially every processor since 1995 (except Intel Itanium and Intel Atom before 2013) could be susceptible to the bugs. Meltdown and Spectre could also affect Android and ChromeOS devices. Google said the bug is “difficult and limited on the majority of Android devices.” Intel said, “many different vendors’ processors and operating systems are susceptible to these exploits.”
“Meltdown and Spectre exploit critical vulnerabilities in modern processors,” said MeltdownAttack.com. “These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
The Spectre bug can’t easily be fixed, and the chips will actually need to be redesigned to ensure security. The Meltdown bug can be corrected through a patch, but it could slow computers by as much as 30%. Intel said it’s working on a patch and noted that the average computer user won’t experience significant slowdowns as it’s fixed.
Unfortunately, you probably won’t know if your device has been exploited or not since neither bug leaves any traces in traditional log files. But there are some ways you can attempt to protect your computer. Here is how you could attempt to protect your devices from the Meltdown and Spectre bugs.
You can get patches for Firefox, Internet Explorer, and Edge for Windows 10. Google says it will roll out a fix with Chrome 64, but that won’t be released until January 23rd. Apple has yet to divulge how they will fix Safari browser or macOS. There are patches against Meltdown for Linux (KPTI), Windows, and OS X.
Microsoft has issued an emergency security patch through Windows Update, but third-party anti-virus software could prevent you from seeing the patch. Microsoft issued a statement on the issue:
We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.
From The Verge:
A firmware update from Intel is also required for additional hardware protection, and those will be distributed separately by OEMs. It’s up to OEMs to release the relevant Intel firmware updates, and support information for those can be found at each OEM support website. If you built your own PC you’ll need to check with your OEM part suppliers for potential fixes.
There was another worrying development surrounding the Intel fiasco, the computer chip company’s CEO allegedly knew of this flaw before making a ton of money by selling off a large portion of his Intel shares. Intel CEO Brian Krzanich pocketed $24 million on November 29, 2017, by selling shares he owned outright and exercising stock options. Krzanich sold as many Intel shares as he was allowed by the company, which states that he must keep 250,000 shares as per his employment agreement. Google reportedly informed Intel of the vulnerability way back in June, meaning that Krzanich would have known about the significant security vulnerability before the major sell-off. Both Intel and Google knew about the critical security flaw for months, yet did not inform the public. Because of the devastating news, Intel’s stock fell 3.4% on Wednesday to close at $45.26.