Two serious security problems affect a large part of the processors built in the last twenty years, making it theoretically possible to access the data on the devices that use them by malicious users. After days of very limited information, in which it was assumed that the vulnerability was only one and linked to Intel products (the largest processor manufacturer in the world), in the last hours a group of researchers has published the documentation that proves the existence of two distinct flaws called “Meltdown” and “Specter”: for the first there is a solution, while the second will take longer to be resolved and according to experts “it will haunt us for some time”.
Put simply, computers, smartphones, and other electronic devices work thanks to a processor, a component that manages commands and coordinates resources. The greater its computing capacity, the greater the amount of operations it can perform in a certain period of time: the speed of the devices we use depends on many things, but one of the most important is precisely this computing power. Part of the processor's power is given by the ability to manage its own internal memory, very fast, on which the processes that make the operating system and other programs work are processed. The two flaws are due to the way processor architectures are made (i.e. how they are designed) and, in some circumstances, they can be exploited by malicious software to spy on the activities of other programs, stealing data without being able to modify it.
Through Meltdown and Specter, the researchers write on the site they created to explain the problem, various information, such as passwords, photographs, emails and documents of all kinds, can be stolen without the knowledge of computer owners. The two flaws can be exploited in different ways, but they lead to more or less the same result: Specter is more difficult to exploit, but also much more complicated to fix with a software update. Being caused by the way processors are made, the two flaws can only be fixed by changing the way operating systems work, which could significantly slow down some types of processors.
It is very likely that the device you are reading this on is affected to some extent by one of the two security holes, while there is no way to know for sure if anyone has exploited this vulnerability in the past to steal information from your devices ( the possibility is however extremely remote). An antivirus system can help reduce the problem, in case it manages to identify malicious software that tries to exploit the two flaws, but only an update of the operating system can be decisive, at least for Meltdown.
Meltdown
It is the flaw that has been talked about the most in recent days, albeit with information still unclear. It affects desktop computers, laptops and cloud systems that use several generations of Intel processors, produced since 1995 (the Itanium and Atom versions seem to be an exception, but only if produced before 2013). For now, the researchers are certain that the flaw concerns Intel, while checks are still underway to ascertain whether processors from other brands and with different architectures such as ARM and AMD are also involved.
Specter
Researchers estimate that “practically all systems” are affected by Specter, therefore: desktop computers, laptops, cloud servers and smartphones. The problem affects Intel, AMD and ARM processors. The extent of the flaw therefore appears to be much greater and for security experts the prospects are not encouraging, considering that a software solution to this problem requires a complex approach, therefore more time.
What Intel and others are saying
After weeks of silence, due in part to the need to give developers time to find solutions to the problem, Intel has released a statement in which he says that: “many processor manufacturers and consequently operating systems are subject to this flaw”. AMD has so far said it is unaware of any problems related to its processors, but another Google-linked computer research group claims that it has managed to carry out an attack on AMD's FX and PRO processors. ARM, one of the main manufacturers of processors for mobile devices, has instead confirmed that it has security problems with some models.
Google has published some details explaining that the problem affects its Android operating systems for smartphones and ChromeOS for computers, adding however that the flaw “is difficult” to exploit on “most Android devices”. Updates are already planned to contain the problem, although it is not clear which solutions can be resolved without affecting the speed of the devices.
Microsoft has already released an emergency security update for Windows, its operating system, and more updates are planned in the coming days to further mitigate the problem. The update can be installed from Windows Update on your computer, but it should still be installed on the first reboot if the automatic updates option is enabled. With some types of Intel processors, the update may lead to system slowdown.
Apple has not disclosed information at the moment, but for a few days there have been news about an update already released with the 10.13.2 version of macOS to partially solve the problem.
With regard to Meltdown, and therefore in particular Intel processors, the software solutions could lead to significant slowdowns, estimated between 5 and 30 percent of cases depending on the conditions and the processing to be managed at that time. The slowdowns should be negligible on the computers of individual users, except in exceptional cases, while they could cause some complications in very complex systems, such as those that manage cloud services through thousands of computers (servers) connected to each other. A slowdown, even by just 5 percent, could cause disruption and other consequences.
Intel lost just over 3 percent on the stock market yesterday, but more substantial losses in the next few days are not excluded. Business Insider reported that the company's CEO, Brian Krzanich, sold the equivalent of $ 24 million worth of Intel shares last November and now owns approximately 250,000 shares, the minimum he is required to hold under contract. Intel received the first information about the processor leaks in June last year, but claims the stock sale was already planned and unrelated to news of security issues. However, the sale of the shares was scheduled for October.