computer chip flaw
ebuyer daily deals 40% off

Tech firms are rushing to issue software fixes for the Meltdown and Spectre computer chip flaw.

A flaw computer chip flaw that affects millions of devices around the world is being fixed, but will force a major rethink in how systems are designed, a security researcher has said.

On Wednesday, Google researchers revealed two flaws – known as Meltdown and Spectre – had been found in processor chips made by Intel, AMD and ARM which could be used to access personal data on a computer.

Sounds serious…

However, cyber security expert Robert Graham said the flaw was probably not news the average consumer needs to concern themselves with, but added it would change how central processing units (CPUs) – a core component of computing – are built.

“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” he wrote on the Errata Security blog.

cpu in hand - computer chip flaw

“While not a big news item for consumers, it’s huge in the geek world. We’ll need to redesign operating systems and how CPUs are made.”

The UK’s National Cyber Security Centre (NCSC) said so far there was “no evidence” the flaw had been exploited by hackers, and many tech firms have said they are either working on or have already issued fixes.

“The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available,” it said in a statement.

Already on it

Some software updates had already been issued that addressed the flaw, including from Google, Microsoft and Apple.

According to the Google researchers, the flaw uses a function called speculative execution, which is normally used to optimise computer performance, to access sensitive information on a system’s memory that would normally be out of reach, including passwords and other data.

In response, Intel said it was working with other firms to issue security updates.

“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the firm said in a statement.

“Intel has begun providing software and firmware updates to mitigate these exploits.

“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”

Computer chip flaw has zero risk

It claimed “inaccurate media reports” on the flaw had forced a statement earlier than planned, with Google’s research confirming an industry-wide “co-ordinated disclosure date” had previously been set for January 9.

Google’s research team said three variants of the flaw were discovered, two that made up the Spectre flaw and a third for Meltdown, which is currently said to affect only Intel chips.

installing cpu - computer chip flaw

In its own response, AMD said it had created a software update to patch the first Spectre variant, and claimed there was a “near zero risk” of the other two affecting its products because of unique design characteristics.

ARM said the “majority” of its processors were not impacted by the flaw, but has posted details of 10 processors affected along with steps on how to mitigate the issue.

Nigel Houlden, the head of technology at the Information Commissioner’s Office, said: “We are aware of reports detailing potentially significant flaws in a wide range of computer processors, which could affect various operating systems.

“We strongly recommend that organisations with affected hardware test and apply patches from suppliers as soon as they are released.

“All organisations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation.”

* Prices correct at time of posting.

10 COMMENTS

  1. Saying only geeks should be worried is just downright BS, it affects EVERYONE. EVERYONE uses passwords, online banking being an example.

  2. But the way the media are reporting it, you would think that everyone is suddenly at the mercy of all the hackers out there. The vulnerability needs carefully crafted malicious code to be executed on your computer for a significant time in order to extract sensitive data. That code needs first to be created, and secondly to get on your computer. If you are careful about what websites you visit and don’t run untrusted programs, you are no more likely to run Meltdown or Spectre code than you are to run any other existing malware.

    Cloud systems are a different situation entirely, as malicious code on one virtual machine has the potential to peek into other VMs on the same host. But this is being addressed by cloud providers.

  3. Unfortunately, the headline “There’s hardly any risk at all in newly discovered computer security flaw” isn’t as impactful as say “Massive Computer Chip Security Flaw affects billions of people world-wide.” The media always has a tendency to overinflate the dangers to make things that are realistically barely newsworthy into front-page headlines.
    And, to be honest, the media have potentially made the issue worse, because they have let every hacker on the planet know that there is a potentially exploitable security flaw – forcing Intel, Microsoft, etc, to rush out patches…..

  4. I have been planning to buy new machine dedicated to graphic and video editing, as security on that machine would not be a issue but speed and efficiency of CPU is dramatically important. Now plans are on hold as if the machine will for example go down 30% of efficiency then I feel like paying for 10 liter of petrol but actually getting only 7 litters. Find this news very disappointing as the efficiency of the cpu is going down but price stays steady.

  5. The process of specualtive pipelining has been in use since at least the early 70’s on mainframes. The technique of pre procesing the two possible outcomes of a branch instruction (if…. then….. else etc) before the condition was satisfied became good practice and most systems used it before intel made 86x chips.

  6. @lukasz What software are you using ? If highly threaded, then the AMD Ryzen or ThreadRipper would be your best choice

  7. Ah an article saying no problem from a company selling the buggy chips and computer systems (like they all are) saying problem overhype, about chips which WILL be slowed down by 5-30% in weeks and all advice is to upgrade at the first opportunity. Let me think about that one.

  8. @Kev This is nothing like the millennium bug. The millennium bug was a time issue where dates that where two digit based systems would effectively roll back to 00 from 99. The problem was therefore only of crashing, incorrectly stating that the year did not exist or that year 2000 was before 1999 not after.

    As an aside why there was no problems with Y2K was because millions of dollars/pounds/hours etc where spent evaluating and solving the issues before they became an issue.

    In this case it is information being extracted like passwords and potential access to double verification security features getting at anything you have logged into with even the highest level of security.

  9. The headline is wrong. This is not a flaw. With an out bound back door to allow others to connect without a user knowing. It”s been there for years, and ‘now’ they “rush” to fix it. This is a design cock-up that some would say it was deliberate.

LEAVE A REPLY

Please enter your comment!
Please enter your name here