Security flaws in chips could affect most modern computer devices

A disturbing report is out from security researchers who have discovered two flaws in computer chips that could leave most devices vulnerable to hackers.

Alphabet Inc.'s Google Project Zero, in cooperation with industry and academic researchers from several countries, discovered the flaws.

Reuters:

The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory and steal passwords.  The second, called Spectre, affects chips from Intel, AMD[,] and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.

The researchers said Apple Inc[.] and Microsoft Corp[.] had patches ready for users for desktop computers affected by Meltdown.  Microsoft declined to comment and Apple did not immediately return requests for comment.

Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it "probably one of the worst CPU bugs ever found" in an interview with Reuters.

Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.  Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.

Speaking on CNBC, Intel's Krzanich said Google researchers told Intel of the flaws "a while ago" and [said] that Intel had been testing fixes that device[-]makers who use its chips will push out next week.  Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9.

The flaws were first reported by tech publication The Register.  It also reported that the updates to fix the problems could causes [sic] Intel chips to operate 5 percent to 30 percent more slowly.

Intel denied that the patches would bog down computers based on Intel chips.

Well, ain't that a kick in the head?  I don't know a lot about computers, but I know enough to see how significant this problem is.  No doubt the patch will be made available on most tech websites, which should help facilitate closing the vulnerabilities.  But not everyone will get the heads-up, which means that potentially, there are millions of devices that will remain vulnerable.

There is an arms race between computer security-researchers and developers and hackers.  It seems to me that the hackers always have the advantage because there is a time lag between developing new products and discovering their vulnerabilities.  Dedicated hackers – perhaps state-sponsored – are free to work full-time to look for holes in security they can exploit.  In just a few days, weeks, or months, hackers can render any computer device vulnerable to attack.

I'm not sure there's a viable solution at present except to keep your computer updated with security patches.  Any other suggestions?  Leave them in the comments for all to see.

A disturbing report is out from security researchers who have discovered two flaws in computer chips that could leave most devices vulnerable to hackers.

Alphabet Inc.'s Google Project Zero, in cooperation with industry and academic researchers from several countries, discovered the flaws.

Reuters:

The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory and steal passwords.  The second, called Spectre, affects chips from Intel, AMD[,] and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.

The researchers said Apple Inc[.] and Microsoft Corp[.] had patches ready for users for desktop computers affected by Meltdown.  Microsoft declined to comment and Apple did not immediately return requests for comment.

Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it "probably one of the worst CPU bugs ever found" in an interview with Reuters.

Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.  Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.

Speaking on CNBC, Intel's Krzanich said Google researchers told Intel of the flaws "a while ago" and [said] that Intel had been testing fixes that device[-]makers who use its chips will push out next week.  Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on Jan. 9.

The flaws were first reported by tech publication The Register.  It also reported that the updates to fix the problems could causes [sic] Intel chips to operate 5 percent to 30 percent more slowly.

Intel denied that the patches would bog down computers based on Intel chips.

Well, ain't that a kick in the head?  I don't know a lot about computers, but I know enough to see how significant this problem is.  No doubt the patch will be made available on most tech websites, which should help facilitate closing the vulnerabilities.  But not everyone will get the heads-up, which means that potentially, there are millions of devices that will remain vulnerable.

There is an arms race between computer security-researchers and developers and hackers.  It seems to me that the hackers always have the advantage because there is a time lag between developing new products and discovering their vulnerabilities.  Dedicated hackers – perhaps state-sponsored – are free to work full-time to look for holes in security they can exploit.  In just a few days, weeks, or months, hackers can render any computer device vulnerable to attack.

I'm not sure there's a viable solution at present except to keep your computer updated with security patches.  Any other suggestions?  Leave them in the comments for all to see.