SAN FRANCISCO – A newly discovered exploit in most modern processors could make your computer or smartphone vulnerable to attacks. The problem impacts processors going back more than two decades and could let hackers access passwords, encryption keys or sensitive information open in applications.
“It’s not really one vendor’s problem,” Steve Smith, head of Intel’s data center engineering operations, said during a conference call Wednesday. “It’s not an issue with our product. It’s not an issue with someone else’s product.” It’s a general design issue that impacts most modern chips, he said.
Intel has been working with Arm, PC chip rival AMD and others to investigate the exploit and come up with a fix. The New York Times reported one flaw, Spectre, could require a processor redesign. But Intel and Arm say both exploits can be patched with software updates from them and operating system makers over the coming days and weeks.
They also plan to design their future chip architecture to prevent the exploits. In the case of Intel’s fix, it could slow the performance of some devices by 30 percent or more. Most users, though, won’t see much of an impact, likely only as much as 2 percent, Smith said.
Intel and Arm noted that no one’s device has actually been hacked through this exploit and that a hacker would need to have malware running locally on the device to access data. Intel also said it believes the exploits can’t corrupt, modify or delete data.
The issue likely impacts most Intel computers sold for the past two decades. It’s unclear how many mobile devices could potentially be at risk. The vast majority of the world’s smartphones and tablets run on chips based on Arm technology. That includes Apple, Samsung, Qualcomm and others.
Arm said certain high-end processors based on its Cortex-A and other technology are at risk, but it noted that “the majority” of its chips are not impacted. Chips based on the Cortex-A architecture go into mobile devices, networking infrastructure, home and consumer devices, automotive in-vehicle infotainment and driver automation systems, and embedded designs. The company’s Cortex-M processors, which are used in low-power, connected internet of things devices, aren’t impacted.
Google said in its blog post about the exploit that the issue has been mitigated in many products or wasn’t a vulnerability in the first place. But in some cases, users may need to take steps to make sure they’re using a protected version of a product. In the Chrome browser, for instance, you have to enable something called “Site Isolation,” which isolates websites into separate address spaces. An upcoming browser update, Chrome 64, will provide protections against the exploits when it’s available Jan. 23.
Apple didn’t respond to requests for comment.
Along with impacting personal computing devices, the exploit also hurts servers in data centers, like Amazon’s cloud service. Amazon Web Services said “all but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”
Microsoft said that it has been working closely with chipmakers to release fixes for its customers.