Google and Microsoft have exposed a computer chip flaw that could leak data from everything from your smartphone to your baby monitor.
The companies disclosed a newly-found variant of the Spectre and Meltdown chip flaws yesterday, potentially leaving millions of computers and mobile devices at risk.
Hackers could exploit the vulnerability to trick computers and other gadgets into revealing sensitive information stored on their memory systems.
The latest bug is the fourth Spectre-like flaw to be uncovered by researchers since the first was revealed in January.
Experts at Microsoft and Google said they had already worked with chipmakers to develop fixes for the vulnerability, which should roll out in the coming weeks.
Google and Microsoft have exposed a computer chip flaw that could leak data from everything from your smartphone to your baby monitor. Hackers could exploit the vulnerability to trick computers and other gadgets into revealing sensitive information (stock image)
As with other Spectre-like flaws, the new bug is linked to ‘speculative execution’ in Intel, AMD and Arm chips, which power hundreds of millions of devices worldwide.
Speculative execution is a key part of modern high-end computing in which the CPU predicts what might be required of it in the immediate future.
This clever technique allows the CPU to begin completing some tasks before you’ve even triggered them, drastically speeding up your device’s performance.
Spectre flaws reveal otherwise-secure data by tricking the processor into divulging the information it uses to predict your next move.
This lets hackers potentially fool error-free applications into giving up secret information.
The new Spectre variant is similar to the first and third versions of the bug, meaning many of the patches developed for these flaws should also work for the new one.
The companies disclosed a newly found variant of the Spectre computer chip (stock) flaw, potentially leaving millions of devices at risk. Experts at Microsoft and Google said they had already worked with chipmakers to develop fixes for the vulnerability
As a result Intel, which worked with Microsoft and Google to expose the flaw, said it is classifying so-called Variant Four as medium risk, though the company has also released a new patch despite this safety net.
Intel said in a statement: ‘To ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.’
Intel’s Leslie Culbertson, general manager of Product Assurance and Security at Intel, added: ‘I continue to encourage everyone to keep their systems up-to-date, as it’s one of the easiest ways to ensure you always have the latest protections.’
As with other Spectre-like flaws, the new bug is linked to ‘speculative execution’ in Intel, AMD and Arm chips, which power hundreds of millions of devices worldwide (stock)
The company is making the update opt-in as it could slow chips down by as much as eight per cent, it said.
It added it will release the new patch over the coming weeks and had already made it available to manufacturers and software vendors like Microsoft.
In a blog post, Microsoft researchers warned that although patches were already in place, hackers could still use the vulnerability to steal data.
WHAT ARE THE MELTDOWN AND SPECTRE DESIGN FLAWS?
Security researchers at Google’s Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, exposed the two flaws in January.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory.
It was first discovered by Project Zero in June last year, when expert Jann Horn found that passwords, encryption keys, and sensitive information open in applications that should have been protected could be accessed.
Meltdown and Spectre could let cyber criminals steal data from nearly every computing device containing chips from Intel, AMD and Arm, putting billions of people worldwide at risk of being hacked
A second bug, called Spectre, affects chips from Intel, AMD and Arm.
This lets hackers potentially trick otherwise error-free applications into giving up secret information.
Project Zero disclosed the Meltdown vulnerability not long after Intel said it’s working to patch it.
Intel says the average computer user won’t experience significant slowdowns as it’s fixed.
They said: ‘An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries.
‘At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.’
Arm, another computer chip developer affected by the flaw, said most of its processors were not affected by the variant.
‘It is important to note that this method is dependent on malware running locally,’ the company said in a post.
An AMD security expert also warned users to update their systems and said an AMD-specific fix was being developed by Microsoft.
The original Spectre flaw was uncovered alongside a second CPU flaw called Meltdown by Google’s Project Zero researchers in January.
The vulnerabilities exposed hundreds of millions of chips from the last two decades to hackers.
While they were quickly patched experts have remained braced for other versions or ‘variants’ of the major flaws to arise as hackers and security researchers raced to find additional vulnerabilities.
In January, Arm CEO Simon Segars predicted that a flaw similar to Spectre would pop up again.