A bomb cyclone hit the IT world on Wednesday as tech giants and computer security researchers released details pertaining to two major security holes that affect the processors in almost all computers. Researchers, including ones employed by the likes of Google, various tech firms, and academic institutions, independently discovered the flaws last year.
The vulnerabilities could allow attackers to swipe sensitive secrets from the memory of almost all devices, including phones, tablets, PCs, and computer servers. Experts have warned that hackers could develop exploits to purloin personal data, passwords, cryptographic keys, and other supposedly inaccessible information from targets.
Several programmers have already demonstrated proofs of concept for these so-called side channel attacks.
Using #Meltdown to steal passwords in real time #intelbug #kaiser #kpti /cc @mlqxyz @lavados @StefanMangard @yuvalyarom https://t.co/gX4CxfL1Ax pic.twitter.com/JbEvQSQraP
— Michael Schwarz (@misc0110) January 4, 2018
Silicon Scars
The flaws plague hardware produced by top chip makers like Intel (INTC) and Advanced Micro Devices (AMD), and Softbank-owned chip designer ARM Holdings. Big tech companies including Microsoft (MSFT) and Apple (AAPL) have been scrambling in recent weeks to address these threats by developing fixes for their software while cloud computing giants, like Amazon (AMZN) and Google (GOOG), have been rushing to apply patches to their data center infrastructure.
The first attack, dubbed “Meltdown,” applies specifically to Intel chips and allows hackers to circumvent the isolation barrier between user applications and operating systems, thereby opening up access to otherwise restricted machine memory. The second attack, “Spectre,” which is harder to pull off but has no available patches, lets hackers pry secrets out of the memory of devices running Intel, AMD, and ARM chips.
The Meltdown Mess
Per Meltdown, Apple and Microsoft have produced patches for Windows and macOS, as has the open source Linux project for its namesake operating system, although implementing these mitigations could cause computers to slow down by as much as 30%, researchers say. At the scale of a data center, such a performance hit could be severely detrimental to operations.
Intel countered in a statement that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Get Data Sheet, Fortune’s technology newsletter.
Amazon, Google, and Microsoft have all been applying the patches to their data center systems this week, the companies said. The companies were, in some cases, forced to act sooner than anticipated as news of the chip flaws began to trickle out online, causing the corporations to advance their disclosure timelines by a week.
Big Tech’s Response
Google, whose security researcher Jann Horn of the Project Zero team (see this Fortune profile of that ace hacker squad from last year) discovered both flaws, first alerted Intel to the problem, giving the company a headstart on the process. Other independent discoverers of Meltdown included Werner Haas and Thomas Prescher of Cyberus Technology and Daniel Gruss, Moritz Lipp, Stefan Mangard, and Michael Schwarz of Austria’s Graz University of Technology.
“We have updated our systems and affected products to protect against this new type of attack,” Google said in a statement Wednesday.
Microsoft said in a statement Wednesday that it had updated “the majority” of its Azure cloud infrastructure, though some aspects “are still being updated and require a reboot of customer [virtual machines] for the security update to take effect.” Official updates were originally expected to arrive as part of one of the company’s upcoming Patch Tuesdays on January 9th (though the company has been testing beta versions of the patches since November).
“The majority of Azure customers should not see a noticeable performance impact with this update,” Microsoft said.
Amazon issued a similar statement Wednesday: “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”
Haunted by Spectre
Spectre—the more pervasive and more difficult to take advantage of the two flaws—has no clear solution as yet. While the U.S. Department of Homeland Security’s computer security advisory group US-CERT has suggested replacing affected CPUs, industry experts have countered that the recommendation is unfeasible.
Consumers and businesses should look to apply patches and workarounds if and when those become available.
Spectre’s discoverers include Google Project Zero’s Jann Horn, independent security researcher Paul Kocher, Daniel Genkin at the University of Pennsylvania and University of Maryland, Mike Hamburg at the American tech firm Rambus, Moritz Lipp at Austria’s Graz University of Technology, and Yuval Yarom of Australia’s University of Adelaide.
“It is not easy to fix, it will haunt us for quite some time,” Spectre’s discoverers warned.
