Spectre is a bug that breaks the isolation between different applications. Software giants such as Microsoft and the Linux Foundation have rushed to issue patches to fix the vulnerability. Kernel is the key part of an operating system that has complete control over the system and acts as a connecting dot between processor, application, memory and other hardware devices. However, due to the full details of the vulnerability now being under embargo, meaning the full details of the bug are yet to be officially announced, it's not yet clear just how serious it is.
There are three known variants of the issue, known as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.
Now that the cat is out of the bag, there are numerous resources to allow you to fully read up on both Meltdown and Spectre.
On Thursday, Intel's stock closed down 1.8 percent to $44.43 a share.
A second vulnerability, dubbed Spectre, also affects AMD and ARM computer chips, and could allow hackers to steal data from the computer's memory that is normally kept in isolation. Researchers have described proof-of-concept uses of the vulnerabilities, which means it is possible they could be replicated by someone or a group wanting to exploit the problems.
Aside from applying the relevant patch, the only other solution is to buy a brand-new processor which isn't blighted by the bug now Intel has ironed it out - not exactly a practical prospect for most folks (unless you were mulling over pulling the trigger on a CPU upgrade anyway). Importantly, this does not work on AMD processors in default configurations. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time.
ARM, which designs the processor cores at the heart of almost every smartphone on the planet, said its Cortex-A cores are affected by Spectre but the Cortex-M cores found in embedded and internet-of-things devices are not affected. A previously submitted patch to the Linux kernel to address Meltdown has been modified to exclude AMD.
The Meltdown attack only seems to work on Intel processors. But security researchers raised concerns that the patches could significantly hamper system performance, since the operating system is now being asked to do something that it was created to assume was the chip's job. Naturally, all performance is workload-dependent, though noted benchmarking website Phoronix has measured VM performance regression at roughly 10% for Redis, Apache, and PostgreSQL, with higher numbers for synthetic tests like Stress-NG, and negligible change for Himeno and Parboil. These services, offered by Amazon, Microsoft, Google, IBM and others, give smaller companies access to data centers, web hosting and other services they need to run their businesses. An affected handset can leak sensitive information including passwords.
Spectre is tougher to exploit than Meltdown, but its effects are more pervasive.
This vulnerability is potentially particularly risky in cloud computing systems, where users essentially rent time from massive supercomputing clusters.
It's important to note that, to date, these vulnerabilities have not been seen exploited in the wild. This also makes the pair hard to detect as part of a malware attack, though known malware signatures are still possible to determine by traditional means.
While security flaws are typically limited to a specific company or product, Intel says the problem is "not a bug or a flaw in Intel products" but rather a broader problem affecting processing techniques common to modern computing platforms. Android will get an update on January 5, Chrome on January 23 and some affected Chromebooks had a mitigation in its OS 63, which was released in December.