Cybersecurity researchers have discovered two flaws in microprocessors that could grant hackers access to the entire memory stored on practically any computer in the world, forcing major tech companies to rush out software fixes.
On a website created to explain the flaws, researchers wrote that they "don't know" if hackers have exploited the bug.
The day after the research became public, Intel, whose processors are among the most vulnerable to both exploits, said in a statement that it "has already issued updates for the majority of processor products introduced within the past five years" and would issue updates for 90% of those processors by the end of next week. The bugs could affect processors manufactured as early as 1995, according to the researchers who discovered them, but Intel did not address that possibility.
Researchers said they named one flaw "Meltdown" because it "basically melts security boundaries which are normally enforced by the hardware." The name "Spectre" for the second flaw came from the fact that there is no easy fix, which means it will likely "haunt us for quite some time."
Researchers said that the Meltdown flaw could affect nearly all of the microprocessors made by Intel since 1995, which power the vast majority of the world's personal computers and those used by businesses. Researchers said that they successfully tested the exploit on Intel processors made as early as 2011.
"Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer," the 13 researchers wrote.
Spectre could affect personal computers, smartphones, and servers because it's present on Intel processors, as well as those made by AMD and ARM, two of the world's other major processor makers, the researchers warned.
Both flaws are part of "speculative execution," which most processors use to speed up their performance. According to the New York Times, patching them could slow down computers by up to 30%. Intel has been hit with three class action lawsuits over to the vulnerabilities since Wednesday.
In a blog post responding to the research, Intel said the flaws described had "the potential to improperly gather sensitive data from computing devices that are operating as designed," but that the company "believes these exploits do not have the potential to corrupt, modify or delete data."
A blog post published the next day downplayed the significance of the bugs: "Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time."
AMD, another major processor manufacturer, also acknowledged the flaws in a statement.
Researchers believe Spectre is more difficult to exploit than Meltdown. There appeared to be no known fix when the research became public, but Google engineers said the next day that they had developed solutions that did not impact performance in a noticeable way.
Major companies have issued emergency updates to patch the vulnerabilities.
"All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time," Apple said in a statement.
On Thursday, Apple added that it had already released fixes for Meltdown within iOS 11.2, macOS 10.13.2, and tvOS 11.2. For Macs and iPhones, Apple said, there was "no measurable reduction in the performance." It did not address Apple TV's performance in the statement.
On Friday, the company said the Apple Watch is not affected by either of the vulnerabilities. The Spectre vulnerability affects all Apple devices, as well as Safari, according to the statement.
Three days later, Apple released three updates to protect the Mac operating system, Safari, and iPhones from Spectre: Safari 11.0.2, a supplement to macOS High Sierra 10.13.12, and iOS 11.2.2. The company thanked the researchers who discovered the vulnerabilities in the acknowledgement sections of the updates.
The open-source community that oversees the Linux operating system, which powers around 30% of the world's computer servers, has posted a patch for Meltdown, the New York Times reported.
In a blog post for Google, senior security engineer Matt Linton and Pat Parseghian, a technical program manager, published a laundry list of Google products that needed updating to circumvent the flaw. They include Android, G Suite (Gmail, Calendar, Drive, etc.), Chrome, Chrome OS (used in Chromebooks, which are popular in schools), Google Home and Chromecast, and more.
Android users with the latest update are protected, Linton and Parseghian said, and G Suite and Google Home users did not need to take action. But Chrome users need to update their browsers, as do Chrome OS users.
In a follow-up post, Linton and Parseghian said that Google had developed fixes for both bugs and deployed them along with a known solution across the servers that support many of the company's flagship products with "negligible impact on performance."
Mozilla also notified its users that it might have been swept up in the attack and said it was updating its Firefox browser to try and circumvent the risk.
Amazon said in a statement that "all but a small number" of its Amazon Web Services cloud servers "are already protected," and that the remainder would be updated and shielded by Wednesday night. It advised customers to update on their end as well.
You can watch Meltdown in action here:
Blake Montgomery is a reporter for BuzzFeed News and is based in San Francisco.
Contact Blake Montgomery at email@example.com.
Got a confidential tip? Submit it here.