Security flaws in virtually all phone and computer chips 'one of the worst CPU bugs ever found'

Securityresearchers disclosed a set of flaws Wednesday that they said could let hackers steal sensitive information from almost every modern computing device containing chips from Intel, AMD and ARM.

One of the bugs is specific to Intel, but another affectslaptops, desktop computers, smartphones, tablets and internetservers alike. Intel and ARM insisted that the issue was not adesign flaw, but it will require users to download a patch andupdate their operating system to fix.

Exploits for these bugs will be added to hackers's standard toolkits.- Dan Guido, consultant

"Phones, PCs, everything are going to have some impact, butit'llvary from product to product,"Intel chief executive Brian Krzanic said in an interview with CNBC Wednesday afternoon.

Researchers with Alphabet's Google Project Zero, in conjunction with academic and industry researchers fromseveral countries, discovered two flaws.

Meltdown and Spectre

The first, called Meltdown, affects Intel chips and letshackers bypass the hardware barrier between applications run byusers and the computer's memory, potentially letting hackersread a computer's memory and steal passwords.

The second, calledSpectre, affects chips from Intel, AMD and ARM and lets hackerspotentially trick otherwise error-free applications into givingup secret information.

The researchers said Apple and Microsoft had patches ready for users for desktop computersaffected by Meltdown. Microsoft declined to comment and Appledid not immediately return requests for comment.

Daniel Gruss, one of the researchers at Graz University ofTechnology who discovered Meltdown, called it "probably one ofthe worst CPU bugs ever found" in an interview with Reuters.

Gruss said Meltdown was the more serious problem in theshort term but could be decisively stopped with softwarepatches.

Spectre, the broader bug that applies to nearly allcomputing devices, is harder for hackers to take advantage ofbut less easily patched and will be a bigger problem in the longterm, he said.

Details leaked ahead of schedule

Speaking on CNBC, Intel's Krzanich said Google researcherstold Intel of the flaws "a while ago" and that Intel had beentesting fixes that device makers who use its chips will push outnext week. Before the problems became public, Google on its blogsaid Intel and others planned to disclose the issues on Jan. 9.

Google said it informed the affected companies about the Spectre flaw on June 1, 2017 and reported the Meltdown flawafter the first flaw but before July 28, 2017.

The flaws were first reported by tech publication TheRegister. It also reported that the updates to fix the problemscould causeIntel chips to operate fiveto 30 per cent moreslowly.

Intel denied that the patches would bog down computers basedon Intel chips.

"Intel has begun providing software and firmware updates tomitigate these exploits," Intel said in a statement.

"Contraryto some reports, any performance impacts are workload-dependent,and, for the average computer user, should not be significantand will be mitigated over time."

ARM spokesman Phil Hughes said that patches had already beenshared with the companies' partners, which include manysmartphone manufacturers.

"This method only works if a certain type of malicious codeis already running on a device and could at worst result insmall pieces of data being accessed from privileged memory,"Hughes said in an email.

AMD chips are also affected by at least one variant of a setof security flaws but that it can be patched with a softwareupdate. The company said it believes there "is near zero risk toAMD products at this time."

Software patches coming

Google said in a blog post that Android phones running thelatest security updates are protected, as are its own Nexus andPixel phones with the latest security updates. Gmail users donot need to take any additional action to protect themselves,but users of its Chromebooks, Chrome web browser and many of itsGoogle Cloud services will need to install updates.

Amazon Web Services, a cloud computing service used bybusinesses, said that most of its internet servers were alreadypatched and the rest were in the process of being patched.

The defect affects the so-called kernel memory on Intel x86processor chips manufactured over the past decade, The Registerreported citing unnamed programmers, allowing users of normalapplications to discern the layout or content of protected areason the chips.

That could make it possible for hackers to exploit othersecurity bugs or, worse, expose secure information such aspasswords, thus compromising individual computers or even entireserver networks.

Dan Guido, chief executive of cyber security consulting firmTrail of Bits, said that businesses should quickly move toupdate vulnerable systems, saying he expects hackers to quicklydevelop code they can use to launch attacks that exploit thevulnerabilities.

"Exploits for these bugs will be added tohackers'sstandard toolkits,"said Guido.

Shares in Intel were down by 3.4 per cent Wednesday following thereport but nudged back up to $44.70 US in after-hourstrading. Shares in AMD were up one per cent to $11.77,shedding many of the gains they had made earlier in the day whenreports suggested its chips were not affected.

It was not immediately clear whether Intel would face anysignificant financial liability arising from the reported flaw.

"The current Intel problem, if true, would likely notrequire CPU replacement in our opinion. However the situation isfluid," Hans Mosesmann of Rosenblatt Securities in New York saidin a note, adding it could hurt the company's reputation.