A flaw in computer chips that affects millions of devices around the world is being fixed, but will force a major rethink in how systems are designed, a security researcher has said.
On Wednesday, Google researchers revealed two flaws – known as Meltdown and Spectre – had been found in processor chips made
by Intel, AMD and ARM which could be used to access personal data on a computer.
However, cyber security expert Robert Graham said the flaw was “probably not news the average consumer needs to concern themselves with”, but added it would change how central processing units (CPUs) – a core component of computing – are built.
“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” he wrote on the Errata Security blog.
“While not a big news item for consumers, it’s huge in the geek world. We’ll need to redesign operating systems and how CPUs are made.”
The UK’s National Cyber Security Centre (NCSC) said so far there was “no evidence” the flaw had been exploited by hackers, and many tech firms have said they are either working on or have already issued fixes.
“The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available,” it said in a statement.
Some software updates had already been issued that addressed the flaw, including from Google, Microsoft and Apple.
According to the Google researchers, the flaw uses a function called speculative execution, which is normally used to optimise computer performance, to access sensitive information on a system’s memory that would normally be out of reach, including passwords and other data.
In response, Intel said it was working with other firms to issue security updates.
“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the firm said in a statement.
“Intel has begun providing software and firmware updates to mitigate these exploits.
“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”
It claimed “inaccurate media reports” on the flaw had forced a statement earlier than planned, with Google’s research confirming an industry-wide “co-ordinated disclosure date” had previously been set for January 9.
Google’s research team said three variants of the flaw were discovered, two that made up the Spectre flaw and a third for Meltdown, which is currently said to affect only Intel chips.
In its own response, AMD said it had created a software update to patch the first Spectre variant, and claimed there was a “near zero risk” of the other two affecting its products because of unique design characteristics.
ARM said the “majority” of its processors were not impacted by the flaw, but has posted details of 10 processors affected along with steps on how to mitigate the issue.
Nigel Houlden, the head of technology at the Information Commissioner’s Office, said: “We are aware of reports detailing potentially significant flaws in a wide range of computer processors, which could affect various operating systems.
“We strongly recommend that organisations with affected hardware test and apply patches from suppliers as soon as they are released.
“All organisations have a duty to keep personal information in their care secure and that involves having layered security defences in place, including procedures for applying patches and updates, to help to mitigate the risk of exploitation.”