Security researchers have discovered two major security flaws affecting billions of computers, laptops, cell phones, servers, and cloud operating systems made in the last two decades, it was revealed this week.
The vulnerabilities, named "Meltdown" and "Spectre," could allow hackers the ability to steal passwords, emails, credit card and bank information and a plethora of other data stored in a computer's memory. According to independent researchers, virtually every computing system is affected by Spectre, while it seems that Meltdown specifically affects chips made by Intel.
Watch Now: Bob Sullivan joins us to discuss Spectre and Meltdown and what it actually means for you.
"An attacker might be able to steal any data on the system," Daniel Gruss, the security researcher who discovered Meltdown, told ZDNet. (Intel claims the flaws will not allow unauthorized users to "corrupt, modify or delete data.")
Researchers who discovered the vulnerabilities disclosed the information last year to tech giants including Microsoft, Apple, and Intel. Following the protocol, known as "responsible disclosure," the firms worked to develop fixes before the flaws were publicly announced so as not to alert hackers to their existence.
How Do These Security Flaws Work?
Microprocessors all undergo a process called "speculative execution" in an effort to make your computer work faster. Instead of conducting tasks sequentially, the processor predicts what it might need to do and works on them in advance and at the same time as other tasks. The bottom line? Your processor works faster because it's performing commands in parallel rather than waiting to do them in order.
But faster processing comes with risks, as Gizmodo explains:
"There's a serious flaw in the way modern processors are hardcoded to use speculative execution—they don't check permissions correctly and leak information about speculative commands that don't end up being run.
"As a result, user programs can possibly steal glimpses at protected parts of the kernel memory. That's memory dedicated to the most essential core components of an operating system and their interactions with system hardware, and it's supposed to be isolated from user processes at all times to prevent such glimpses from happening. Everything from passwords to stored files could be compromised as a result."
How Do I Protect Myself?
So far, there have been no documented cases of compromises based on these flaws. But now that they are public knowledge, the clock is ticking—and almost all devices are vulnerable.
Tech companies have been scrambling to release patches to cover for the vulnerability, though patches can't fully solve for Spectre. Ultimately, these processors will have to be redesigned. (Many of these patching efforts, experts note, will also slow down your computer.)
Update: As of January 9, the emergency patches have been causing problems on certain systems. Some computers with AMD processors have stopped booting up with the patch in place, according to several reports. As a result, Microsoft has halted the security patch for some AMD systems—though the tech giant has not specified which systems are vulnerable.
Meanwhile, Intel has been reticent about offering many specific details about the vulnerabilities and the company's response. CEO Brian Krzanich said this week that "some workloads may experience a larger impact than others" with the security updates, but hasn't specified how.
In his keynote speech at CES on Monday, Intel CEO Brian Kraznich said: "We have not received any information that these exploits have been used to obtain customer data."
Don't Ignore the Security Patches
The best way to protect yourself right now is to make sure your devices are updated with the latest patches and protections, Bob Sullivan, an independent journalist and security expert. That means that when you get a notification of a security update, don't delay—download the update immediately.
Beyond doing those updates, "there isn't much that regular consumers can do—we can't replace all these chips," Sullivan says. "The good news is it's a little technical to exploit, so you [likely] won't be a victim tomorrow. But this is going to linger."
Google, Apple, and Microsoft have all issued various patches and updates for their web browsers, Android phones, iPhones and iPads, Mac computers, and Windows computers. CNET offers a full list of patches and how to make sure you have them.
In the meantime, here are some other steps to take to help keep your personal information safe:
- Make sure you have enabled two-factor authentication on as many of your sensitive accounts as possible.
- Anytime you think an account was involved in a hack or breach, it's always a good idea to change your password.
- Check your credit card statements and credit report regularly to help catch anything suspicious. If your personal information gets in the hands of a hacker, it could be sold on the dark web so you may not notice red flags immediately.
- Consider an identity protection product—it can help you keep an eye on things like if a new account is opened in your name.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.
This article was originally published on January 11, 2018, and has been updated.