MELTDOWN COULD BE IMMINENT for the central processor unit (CPU) world as the security flaw that affects Intel chips has been found to blight other slices of silicon.
A flaw in the design of all Intel CPUs made in the last decade essentially allows kernel memory data to be read by commonly used programs, which if exploited could lead to hackers extracting important protected information such as passwords and encryption keys from programs and operating systems.
Dubbed Meltdown, the flaw has an operating system level fix that separates the kernel from a program or process' virtual memory, which has the effect of slowing down machines.
So that's not exactly great, though Intel appears to be downplaying the situation a bit.
"Intel believes these exploits do not have the potential to corrupt, modify or delete data," the chip maker said.
"Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits.
"Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
"Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."
But that's just one aspect of the security story.
While Meltdown onlt affects Intel chips, another similar problem has been found to affect ARM and AMD chips as well as Intel CPUs, which allows protected information within programs and apps to be read by other programs with just regular user permissions. Again such a flaw could give hackers an easy shot at nicking private data.
Named Spectre, this flaw can be used to exploit how modern CPUs prioritises and order processes and interactions with kernel and cache memory, and affects all manner of devices from smartphones to cloud servers.
The latter being particularly insidious as hackers could access kernel and sensitive program data on servers supporting virtual machines.
The kernel in host machines and servers is designed not just to keep programs separate but keep virtual users apart; exploiting the Spectre flaw could allow hackers to snoop on users connected to the host machine as well as influence virtual machines hosted by the server.
For individual users, this flaw isn't such a problem as a hacker will need to have the ability to run code on a targeted machine in the first place, meaning it will have to be compromised before Spectre - or indeed Meltdown on Intel machines - can be exploited.
And there's no easy fix as plugging Spectre looks to require software to be recompiled to defend against potential attacks from other programs, and ultimately a redesign of CPU architecture may be needed to fully mitigate the risk of exploitation.
There's a myriad of reactions floating around at the moment. AMD claims there's "near zero risk" to its processors from Spectre due to differences in chip architecture, while ARM notes that the majority of its chips are unaffected.
As the flaw has been around for some time but kept under wraps as companies started work on fixes, the likes of Linux, Apple, Google and Microsoft are all touting fixes or patches they are working on for rollout very soon.
On the cloud side, Amazon Web Services noted that most of its infrastructure has been made safe against such exploits.
But given Google found that there are three variants of the chip-level flaw - Meltdown and two Spectre flaws - it appears that there's not one easy ‘fix all' solution to the problem, meaning that many vendors may have been only patched against the vulnerability that affects them rather than plug the security holes as a whole.
The main question is: have I been affected and should I be worried? Well yes, yes and no.
Spectre and Meltdown affect a vast amount of processor chips, particularly given how many PCs and laptops contain Intel CPUs.
But for individuals to be targeted a hacker already needs access to your machine, so if that's secure then you should be safe from the CPU flaws.
On the server side of things, the problem is more serious given the scope for damage and interference. So if you're running virtual workstations and hypervisors you should certainly consider patching as soon as possible.
The good news is that though the flaws have now been made public, hackers will still need time to figure out how to exploit them, meaning there's a grace period for patches to be applied.
Furthermore, by keeping the flaw quiet, various companies have had around six months or so to work out fixes, so while the security risk isn't over at least it's in the process of being tackled.
"This flaw has existed for years and has been documented about for months at least, so there is no need to panic; nevertheless, we recommend that you keep your eyes out for patches for the operating systems you use, probably in the course of January 2018, and that you apply them as soon as you can," said Paul Ducklin, senior technologist at Sophos.
The overarching issue is that the Spectre and Meltdown flaws would indicate that there's a fundamental problem with how CPUs are designed and that future chips may need a reworked architecture to prevent such security holes cropping up in the future.
This could be a major pain for both Intel and AMD who have both recently released new CPUs build around well-established processor blueprints.
So such changes are likely to be costly, but the silver lining is they could yield more innovative chip designs that extract even more power and efficiency from processors without compromising security. µ
Archaic prototype shows Redmond has come a long way in hardware design
And woe betide if you're called Mohammed too
Lack of proper comms gets a frosty reception from Project Zero's Travis Ormandy
Wine 3.0 brings support for Windows apps to Google's mobe OS