Security researchers on Wednesday provided more information on a set of security flaws that they said could let hackers steal sensitive information from computing devices containing chips from Intel, ARM Holdings and AMD.
Researchers with Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered two flaws.
The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.
Google said that the Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications, according to Google. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
Google says that these vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them. The company added that it has already updated its systems and affected products to protect against this new type of attack. Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates. Gmail users do not need to take any additional action to protect themselves, but users of Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates.
For their part, Intel and ARM insist that the issue was not a design flaw as it was initially reported, but it will require users to download a patch and update their operating system to fix.
"Phones, PCs, everything are going to have some impact, but it'll vary from product to product," Intel CEO Brian Krzanich said in an interview with CNBC Wednesday afternoon.
Krzanich said Google researchers told Intel of the flaws "a while ago" and that Intel had been testing fixes that device makers who use its chips will push out next week. Before the problems became public, Google said Intel and others planned to disclose the issues on Jan. 9. Google said it informed the affected companies about the "Spectre" flaw on June 1, 2017 and reported the "Meltdown" flaw after the first flaw but before July 28, 2017.
Intel denied that the patches would bog down computers based on Intel chips.
"Intel has begun providing software and firmware updates to mitigate these exploits," Intel said in a statement. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."
"Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we're better off to get the fix in place," Krzanich said.
Intel's Smith also said the company sees no significant threat to its business from the vulnerability.
"I wouldn't expect any change in acceptance of our products," he said. "I wouldn't expect any concrete financial impact that we would see going forward."
ARM spokesman Phil Hughes said that patches had already been shared with the companies' partners, which include many smartphone manufacturers.
"This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory," Hughes said in an email.
AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update. The company said it believes there "is near zero risk to AMD products at this time."
The researchers said Apple and Microsoft had patches ready for users for desktop computers affected by Meltdown.
Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD, the company said in a statement. The software maker has also started applying the patches to its cloud services where servers also are affected by the issue.
Amazon Web Services, a cloud computing service used by businesses, said that most of its internet servers were already patched and the rest were in the process of being patched.