Updated:

Fresh details indicate that the vulnerability revealed Tuesday in Intel Corp. chips is even more serious than it first appeared, affecting virtually all central processing units built by Intel Corp. over the past two decades as well as other chips from Advanced Micro Devices Inc. and ARM Holdings.

Now, it’s clear that not one but two vulnerabilities have been detected that could affect the majority of personal computers made in the last 20 years, as well as some Android smartphones. The bugs, called “Meltdown” and “Spectre,” could potentially allow hackers to compromise the privileged memory of CPUs and gain control of various software applications. In theory, that could allow a virtual machine, or computer emulated in software, on shared hosting environments to overwrite another virtual machine.

“These vulnerabilities have a broad impact on the IT [information technology] industry, affecting many modern microprocessors and enabling an attacker to bypass restrictions to gain read access to privileged memory which would otherwise be inaccessible,” said Denise Dumas, vice president of Red Hat Inc.’s Operating System Platform. “In short, these vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device or cloud deployment.”

Security researchers have created two websites providing more details of each bug and what’s being done to mitigate them. Patches for Meltdown have already been pushed out for Linux, MacOS and Windows operating systems, though it’s widely reported that these fixes will have a negative impact on the performance of Intel’s hardware, at least temporarily, one analyst said. Cloud providers, including Amazon Web Services Inc. and Microsoft Corp.’s Azure unit, said they had provided protection for most of their computing services and would fix the rest shortly.

In addition, Intel itself said Thursday that it has “already issued updates for the majority of processor products introduced within the past five years.” By the end of next week, Intel added, it aims to have issued updates for more than 90 percent of the processors it has sold in the past five years.

“The heart of the matter is the kernel page table isolation that allows speculative references,” said Ray Wang, founder, principal analyst and chairman of Constellation Research Inc. “The Intel response and bug patch is a temporary solution. There will need to be more firmware updates and software patches to counter performance degradation.”

Indeed, the patches present additional complications that may discourage people from using them.

“The flaw in Intel processors presents complicated scenarios – mostly for the millions of devices powered by them that could be affected,” said Rod Soto, director of security research at JASK, which makes a security operations platform. “Some devices may be patchable, but others may not. Reports indicate that popular and commonly used virtualization/cloud platforms are impacted by this flaw, and a number of these devices may indeed be fixable via updates – with security risks mitigated if done in due time.”

But Soto added that performance issues may discourage the installation of patches. “A significant enough drop in functionality may discourage the application of any patch altogether, and therefore, the possibility of mass exploitation attempts in the near future is very likely,” he said.

As for second bug, Spectre, there is currently no fix available, though this flaw is more difficult to exploit than Meltdown, the New York Times reported.

Intel’s chips were the main focus of earlier reports on the bug, but a blog post today from Google LLC security engineers Matt Linton and Pat Parseghian claimed that CPUs built by other companies, including AMD and ARM, are also vulnerable.

Intel said in a statement that it also believes chips from other manufacturers could be susceptible to the bugs. “Many different vendors’ processors and operating systems… are susceptible to these exploits,” the company said, adding that it’s working with AMD and ARM to “develop an industrywide approach to resolve this issue promptly and constructively.”

For its part, AMD played down the risk, saying that the chances its hardware might be affected are very low. “To be clear, the security research team identified three variants targeting speculative execution,” AMD said in a statement. “The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”

Google said the bugs also appear to affect some Android and ChromeOS devices, though it noted that exploiting them remains “difficult and limited on the majority of Android devices.” Google’s researchers added that they’re planning to update the next version of Chrome, due out on Jan. 23, to mitigate the vulnerabilities.

The good news is that the companies involved seem to be keeping a lid on things, with no reports of anyone actually managing to exploit the bugs so far.

“Compared to some other big exploits, Intel, ARM and AMD are well ahead of the curve,” said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy. “Usually when we are talking about an exploit or hack, it’s after the damage has been done. There is no virus, no hack, no damage but there is a hole that could be exploited.”

Moorhead also revealed that Intel, AMD and ARM have known about the vulnerabilities for some time, and have been working on a fix for several months already. However, he played down fears regarding the impact on performance any fixes might have.

“The most severe fix degrades performance a bit, but it’s important to know that it’s not on all workloads and any performance hit isn’t permanent,” the analyst said. “I expect cloud providers, which primarily use Intel, to update the firmware on their servers and storage, deal with any performance hit and, as improved performance firmware becomes available, upgrade that.”

With reporting from Robert Hof

Image: Graz University of Technology