Your laptop could soon be running noticeably slower, an Australian security expert says, as the world's computer industry scrambles to counteract two major flaws just discovered in the design of almost all of the world's processors.
Security researchers have disclosed a pair of security flaws, dubbed Meltdown and Spectre, that they say could let hackers steal sensitive information from nearly every modern computing device, from smartphones and laptops to the machines that power the internet.
The former is specific to Intel processors, which power the majority of computers and cloud servers, and can be negated by a software update issued to the computer's operating system. These updates, which will come as automatic downloads for Windows, MacOS and Linux, are important for users to protect their machines and information.
The downside, says Threat Intelligence director Ty Miller, is that patched machines will be less efficient.
"You may lose anywhere between 15 to 30 per cent of your [computer's] power. Things like starting software, or browsing the internet, may actually slow right down," Mr Miller said.
The Meltdown flaw affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, potentially allowing users of normal applications to discern the layout or content of protected areas on the chips. This theoretically allows hackers to exploit other security bugs, or worse, read data directly from the kernel of a processor, potentially gaining access to information previously thought to be unreadable as the machine processes them.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, calls it "probably one of the worst CPU bugs ever found".
"Currently the way the memory is accessed by the operating system, it can access both the kernel memory and the user memory at the same time, in the same context. What needs to happen to prevent this vulnerability is that the operating system needs to switch from the user context to the kernel context and switch back again, which is going to slow down performance," Mr Miller said.
While patched machines might become more efficient over time, Mr Miller said, an initial drop in performance was all but unavoidable. Because it was a hardware flaw, your hardware would probably need to be replaced with eventual chips that weren't subject to this flaw before they could run at full capacity.
"Makers of operating systems have assumed that the security that the CPU is providing is actually effective - that's the assumption everyone's been running on in designing the software and it turns out that's a bad assumption," Mr Miller said.
Cloud risks
The flaw was of particular concern to anyone using a cloud service, as a hacker could tap into the processor of the machine that hosted their virtual space, and gain access to the virtual spaces of everyone else using the machine.
"With cloud environments, one of the core security controls is an attacker can't access the underlying machine that hosts his services," Mr Miller said.
"This vulnerability exposes that and introduces a massive risk to operators in the cloud. If you do business in the cloud, you need to make sure your provider is applying the patches and getting their machines up to date."
Researchers with Google's Project Zero, in conjunction with academic and industry researchers from several countries, discovered the flaws.
Spectre flaw
The second flaw, Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information. It will be much harder to patch than Meltdown and impact a broader range of machines, the researchers say, but it will also be much harder for attackers to use.
The researchers say Apple and Microsoft have patches ready for users for desktop computers affected by Meltdown. Microsoft and Apple did not immediately return requests for comment, but fixes have apparently been spotted in recent MacOS updates and Windows Insider builds.
Intel has acknowledged the researchers' report and says it is working on a solution that will not significantly slow computers.
"Intel has begun providing software and firmware updates to mitigate these exploits," it said in a statement.
"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."
ARM spokesman Phil Hughes confirmed ARM was working with AMD and Intel to fix the security hole, but said it was "not an architectural flaw" and that patches had already been shared with the companies' partners, which include most smartphone manufacturers.
"This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory," Mr Hughes said.
Shares in Intel were down by 3.4 per cent following the report, while shares in AMD rose 1 per cent.
With Reuters