Security researchers this week revealed details of Spectre and Meltdown, massive security vulnerabilities found in microprocessors made by Intel, Advanced Micro Devices and others.
The attacks take advantage of a features built into modern chips and could allow hackers to craft malware using Spectre that could steal passwords or other confidential data through popular web browsers like Chrome, Internet Explorer, Firefox, and Safari for Macs or iOS. That’s prompted quick action from Microsoft, Google, Apple, and Firefox.
What is Spectre?
Spectre is the name given to two of the three kinds of newly discovered attacks that hackers could use to steal confidential data from computers and mobile devices. While the third attack, known as Meltdown, only runs on Intel chips, Spectre attacks can affect devices with virtually any modern processor.
The processors often handle data, like a password or encryption key, that is supposed to be kept from other apps. But to speed up calculations, chips use a technique known as speculative execution to try to guess at some answers that may be needed if a chain of calculations came out a certain way. Because of a predictable delay in the timing of the technique and a chip’s security checks, the researchers found that a rogue app could guess where confidential data was located in a chip’s memory and steal it.
Get Data Sheet, Fortune’s technology newsletter.
Why are web browsers vulnerable to Spectre?
An attacker would need to get a nefarious app running on a victim’s computer or phone to steal data using Spectre. The researchers who uncovered the security problems said they developed a successful model attack using one of the two Spectre variations via a Javascript program. So one way hackers could actually get their attack app to run on a victim’s computer is by writing a data stealing Javascript program and posting it on a web site. The victim’s browser app would automatically run the rogue code, assuming it just was an ordinary part of the site’s features.
Have any hackers used the attack yet?
The researchers who uncovered Spectre say they developed methods to use the vulnerabilities to steal user data (sometimes after being given confidential details of chip design by the chip makers). But no one has yet discovered any actual exploits “in the wild” yet.
How can I protect my web browser from Spectre?
Each browser maker is releasing updates that add new security features and, in some cases, turn off existing features that would make a Spectre attack easier.
Google says Chrome users should turn on a feature called “site isolation” that limits the ability of a rogue Javascript program to get access to sensitive data. The company also said it will release an update on or about Jan. 23 to Chrome’s Javascript feature that will protect better against Spectre attacks, though browser performance may suffer.
Microsoft (MSFT) says it has already issued a Windows security update for its Internet Explorer and Edge browser apps dubbed “KB4056890” to help protect against Spectre. The update changed browser features to make accessing confidential information in a device’s CPU via the timing delays much more difficult, the company said.
Mozilla, the company behind Firefox, said the newest releases of its apps changed several features to make Spectre attacks more difficult. Firefox version 57.0.4, released on Jan. 4, includes the mitigation techniques. But the company said it is studying additional ways to protect even more strongly against the attacks. “In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers,” Mozilla said in a blog post. “This project requires time to understand, implement and test.”
Apple said it planned to release an update to Safari in “coming days” to protect against Spectre. Apple said early tests of the changes needed showed a minimal impact on browser performance.
What about protection from Meltdown attacks?
The third kind of attack, known as Meltdown, relies not on the delayed timing of speculative execution but on how chip software may not check if an app has permission to access some data used in speculative execution as a way to speed up performance. So far, Meltdown has only been demonstrated against chips made by Intel, not AMD (AMD). Apple says the attack “has the most potential to be exploited.”
To protect against Meltdown, chipmakers and operating system vendors are already issuing patches and updates. Intel (INTC), Google (GOOGL), and Apple (AAPL), among others, say they have already released recent patches to help protect against the attack.
