The world's computer-chip and software makers scrambled Thursday to respond to the discovery of two widespread hardware vulnerabilities disclosed by cybersecurity experts that could affect most of the world's modern computing devices.
Tech manufacturers and researchers described the two vulnerabilities as design flaws, long present in most modern chips. The bugs, dubbed Spectre and Meltdown, make data stored in the working memory of shared servers and individual devices--including personal computers, tablets and smartphones--vulnerable to attack.
The flaws could allow hackers to access and steal data from devices or servers. To take advantage of either bug, however, a hacker must run malicious software on the central processing unit--essentially the brains of any modern computing device--of the machine they are targeting.
Companies and several government cybersecurity agencies said there was no indication so far of reports of any significant breaches related to the two flaws.
Still, because of the widespread nature of the flaws, Intel Corp., Microsoft Corp., Amazon.com Inc., Alphabet Inc.-owned Google and others moved quickly to explain the nature of the bugs and what they have done to minimize the threat, including rolling out software fixes. Some patches, however, could slow down computers, security experts warned, though it was unclear Thursday whether they were causing any major disruptions.
The U.S. Computer Emergency Readiness Team, a cybersecurity center that is part of the U.S. Department of Homeland Security, said late Wednesday that it was aware of the two bugs. It encouraged system administrators to contact software vendors for ways to patch them. CERT said it wasn't aware of any "active exploitation" of the bugs.
A spokesperson for the National Cyber Security Centre, an arm of the U.K.'s intelligence agency, said it wasn't aware of evidence of "malicious exploitation" of the flaws. "The NCSC advises that all organizations and home users continue to protect their systems from threats by installing patches as soon as they become available."
Google said its researchers had identified the flaws and had planned to disclose them--as well as what it has done to fix them--later this month. But it moved up action after the bugs were widely disclosed Wednesday. Often firms and researchers working to protect systems from hacks hold off on disclosing bugs widely to minimize the risk that potential hackers could exploit them.
Google said it had mitigated the vulnerabilities in many of its own products at risk. For instance, it said users of its Android operating system who have installed the latest security fixes didn't need to do anything else. Users of Google's Chrome browser, however, were asked to take specific action in some cases to protect their systems.
Google said it had also patched its cloud platform that it leases to businesses. But it said that its cloud customers must implement the patch within their own systems.
Amazon said it had notified its web-services customers that it was patching its data centers. The company said that customers need to patch the operating systems they are running on top of Amazon's infrastructure. Microsoft said it has "been working closely with chip manufacturers to develop and test mitigations to protect our customers."
The two flaws could affect practically every computer on the globe running a modern central-processing unit, or CPU, according to researchers that first identified them. They pose a particular danger for shared machines that have many users--such as those in data centers used for cloud computing--because they could allow one user to grab sensitive data belonging to another user, such as passwords or encryption keys.
They take advantage of tricks that modern chips use to speed up their performance, where chips perform calculations out of order, or guess what calculations they will have to do, rather than waiting for all the information they need to complete each step in order. Researchers showed that hackers could use those speculative, or out of order, instructions to trick chips into revealing sensitive data elsewhere in the processor's memory.
The bug called Meltdown allows software to jump over protections that would normally restrict access to a device's memory, giving hackers access to core functions of the machine as well as data from other users. Researchers say that bug is easier to patch than Spectre, although the patch could slow the performance of the machines that use it.
In a conference call late Wednesday, Intel's general manager of data center engineering, Stephen Smith, said any potential exploit "is really not the result of product erratum. The processors are really operating as they should operate, as they were designed to operate and validated to operate."
He said software patches can help mitigate the flaw, and that Intel launched an industrywide collaboration to incorporate a fix in the hardware.
There are existing patches against Meltdown for Microsoft's Windows, Apple Inc.'s Mac OS and Linux, a family of open-source operating systems. But it is up to companies, such as cloud providers, to apply them.
In the case of Spectre, the flaw is so deeply embedded in the way modern chips are designed that while some patches can stop known exploits, fully fixing it will require redesigning computer chips and then replacing those currently in use, according to a federally funded cybersecurity center at Carnegie Mellon University.
Spectre appears to affects chips designed or made by Intel, Advanced Micro Devices Inc. and SoftBank Group Corp.-owned ARM, a British-based chip designer.
An ARM spokesman said the majority of its processors weren't impacted, and those affected were certain high-end chips. The spokesman said ARM was working with Intel and AMD to patch the possible hacking method, "which is not an architectural flaw or a bug." In the worst-case scenario, a hacker could access "small pieces of data."
AMD said in a statement that software patches resolved one of the vulnerabilities with "negligible impact expected," while the differences in the way AMD chips are designed means "there is a near zero risk" they are vulnerable to the other attacking methods.
Write to Sam Schechner at firstname.lastname@example.org and Stu Woo at Stu.Woo@wsj.com
(END) Dow Jones Newswires
January 04, 2018 08:26 ET (13:26 GMT)