Meltdown, Spectre chip flaws raise questions about hardware security

by Alyssa Newcomb /
Image: A laptop that uses Intel's sixth-generation Core chip known as Skylake
A laptop that uses Intel's sixth-generation Core chip known as Skylake, at the Intel booth during CES International in Las Vegas on Jan. 7, 2016.John Locher / AP file

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

Flaws in computer chips are unusual, which is what makes Meltdown and Spectre, the stunning set of security vulnerabilities released on Wednesday, such a massive problem for users around the world.

Virtually every modern computing device is affected by the flaws, leaving technology companies scrambling to release patches to mitigate the threat, which could otherwise leave sensitive information exposed to hackers.

"It's a very big deal and the only thing people can do is wait for patches on systems and apply them," said Shuman Ghosemajumder, chief technology officer at Shape Security.

Image: A laptop that uses Intel's sixth-generation Core chip known as Skylake
A laptop that uses Intel's sixth-generation Core chip known as Skylake, at the Intel booth during CES International in Las Vegas on Jan. 7, 2016.John Locher / AP file

Related: Security flaw puts virtually all phones, computers at risk

The security flaws are located in each computer's brain, known as the central processing unit or CPU. Processors are able to predict what tasks they will need to execute. This is known as "speculative execution" and allows the processor to simultaneously access multiple places of memory.

While this data is supposed to be protected, researchers found some instances when the processor would leave the data exposed during the process.

"The attacks that have been identified are really taking advantage of how CPUs have been designed for quite some time," said Ghosemajumder.

Meltdown and Spectre were discovered by researchers from Google Project Zero and academic institutions around the world.

Meltdown has currently only been identified on Intel processors. Researchers said it is unclear if processors made by ARM and AMD are also affected.

Spectre is even more pervasive, affecting everything from desktop, laptops, smartphones, and cloud servers. It's been identified on processors made by Intel, AMD and ARM, according to researchers.

The U.S. Computer Emergency Readiness Team said the flaws "could allow an attacker to obtain access to sensitive information" and that a patch would only mitigate the threat.

Many companies have already been rolling out software updates. The most important action users can take right now is to make sure they are current on any software updates, said Ghosemajumder.

Intel said in a statement it has already issued updates "for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years."

"In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services," the chip maker said in a statement on Thursday.

The news prompted Intel's shares to slide more than 2 percent during trading on Thursday.

Perhaps the silver lining to all of this: US-CERT said it is not aware of any active exploitations at this time. Researchers also said they can't confirm if Spectre or Meltdown have been executed "in the wild."

But the attacks do live up to their ominous names, because even if you were compromised, researchers said you likely wouldn't even know it.

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
MORE FROM news