Macs, iPhones, iPads and Apple TV all hit by the weakness according to Apple. Photo / Getty Images
Every iPhone, iPad and Mac device could be at risk of being hacked.
Apple has confirmed that almost all of its devices are affected by Intel and Arm chip "design flaws" that could expose billions of people's personal data to cyber criminals, the Daily Mail reported.
The flaws leave the devices open to the devastating Meltdown and Spectre bugs, discovered by security researchers.
The tech company has warned its customers to only download software for its platforms from trusted sources, like the App Store.
Apple says it has already put measures in place to help protect its customers from Meltdown and more will be released in the coming days.
The firm plans to release further measures for its Safari web browser to help defend against Spectre.
Browser makers Google, Microsoft Corp and Mozilla Corp's Firefox all confirmed to Reuters that the patches they currently have in place do not protect iOS users.
With Safari and virtually all other popular browsers not patched, hundreds of millions of iPhone and iPad users may have no secure means of browsing the web until Apple issues its patch.
Apple stressed that there were no known instances of hackers taking advantage of the flaw to date.
In a written statement, Apple said: "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.
"Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.
"We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS."
Tech firms have been aware of the bugs since last year, with chip manufacturer Intel informed in June 2017, but the finds have only just gone public.
Apple remained silent for more than a day about the fate of the hundreds of millions of users of its products.
Ben Johnson, co-founder and chief strategist for cyber security firm Carbon Black, said the delay in updating customers about whether Apple's devices are at risk could affect Apple's drive to get more business customers to adopt its hardware.
Speaking to Reuters, he said: "Something this severe gets the attention of all the employees and executives at a company, and when they go asking the IT and security people about it and security doesn't have an answer for iPhones and iPads, it just doesn't give a whole lot of confidence."
Measures released in iOS 11.2, macOS 10.13.2, and tvOS 11.2 will to help defend against Meltdown, according to Apple.
Benchmark tests taken in December showed that the updates had no effect on performance, a spokesman for Cupertino-based company said.
These are expected to cause system slowdowns of around 2.5 per cent.
Security researchers at Google's Project Zero computer security analysis team, in conjunction with academic and industry researchers from several countries, exposed the two flaws this week.
Meltdown, which is specific to Intel chips, lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory.
It was first discovered by Project Zero in June last year, when expert Jann Horn found that passwords, encryption keys, and sensitive information open in applications that should have been protected could be accessed.
A second bug, called Spectre, affects chips from Intel, AMD and Arm.
This lets hackers potentially trick otherwise error-free applications into giving up secret information.
Project Zero disclosed the Meltdown vulnerability not long after Intel said it's working to patch it.
Intel says the average computer user won't experience significant slowdowns as it's fixed.
Tech companies typically withhold details about security problems until fixes are available, so that hackers don't have a roadmap to exploit the flaws.
Both Intel and Google said they were planning to disclose the issue next week, when fixes will be available.
But Intel was forced to come clean about the problem yesterday after news of the flaw became public.
In an interview with CNBC yesterday, Intel CEO Brian Krzanich said: "We've found no instances of anybody actually executing this exploit.
"Phones, PCs, everything are going to have some impact, but it'll vary from product to product."
However, clips on social media claim to show computer security experts using the exploit.
Michael Schwarz, who has a PhD in information security, posted on Twitter "Using #Meltdown to steal passwords in real time", along with a GIF animation of the procedure.
Researchers say Apple and Microsoft have patches ready for users for desktop computers affected by Meltdown.
Microsoft declined to comment and Apple did not immediately return requests for comment.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it "probably one of the worst CPU bugs ever found" in an interview with Reuters.
Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches.
Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.
Intel's CEO said Google researchers told Intel of the flaws "a while ago" and that Intel had been testing fixes that device makers who use its chips will push out next week.
Before the problems became public, Google on its blog said Intel and others planned to disclose the issues on January 9.
Google said it informed the affected companies about the Spectre flaw on June 1, 2017 and reported the Meltdown flaw after the first flaw but before July 28, 2017.
The flaws were first reported by tech publication The Register.
It also reported that the updates to fix the problems could causes Intel chips to operate five to 30 per cent more slowly, with some experts claiming this could be more like 50 per cent.
Intel denied that the patches would bog down computers based on Intel chips.
"Intel has begun providing software and firmware updates to mitigate these exploits," the Santa Clara, California, Company said in a statement.
"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."
ARM spokesman Phil Hughes said that patches had already been shared with the companies' partners, which include many smartphone manufacturers.
"This method only works if a certain type of malicious code is already running on a device and could at worst result in small pieces of data being accessed from privileged memory," Mr Hughes said in an email.
AMD chips are also affected by at least one variant of a set of security flaws but that it can be patched with a software update.
The company said it believes there "is near zero risk to AMD products at this time."
Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates.
Gmail users do not need to take any additional action to protect themselves, but users of its Chromebooks, Chrome web browser and many of its Google Cloud services will need to install updates.
Amazon Web Services, a cloud computing service used by businesses, said that most of its internet servers were already patched and the rest were in the process of being patched.
The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips.
That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks.
Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said that businesses should quickly move to update vulnerable systems, saying he expects hackers to quickly develop code they can use to launch attacks that exploit the vulnerabilities.
"Exploits for these bugs will be added to hacker's standard toolkits," Mr Guido said.
Shares in Intel were down by 3.4 per cent following the report but nudged back up 1.2 per cent to US$44.70 in after-hours trading.
Shares in AMD were up one per cent to US$11.77, shedding many of the gains they had made earlier in the day when reports suggested its chips were not affected.
It was not immediately clear whether Intel would face any significant financial liability arising from the reported flaw.
"The current Intel problem, if true, would likely not require CPU replacement in our opinion. However the situation is fluid," Hans Mosesmann of Rosenblatt Securities in New York said in a note, adding it could hurt the company's reputation.
MELTDOWN AND SPECTRE: WHAT YOU NEED TO KNOW
Researchers from Google, academia and cybersecurity firms discovered two flaws in computer chips that affect nearly all modern computers:
Meltdown
This is a flaw that affects laptops, desktop computers and internet servers with Intel chips.
It lets hackers bypass the hardware barrier between applications run by users and the computer's kernel memory.
Reports have suggested that up to 15 years of Intel processors may be affected.
Google - Patch available today
On January 5, Google is issuing a security update to protect Android phones.
Google-branded phones should automatically download the update and you need to just install it. With Pixel and Pixel 2 the update will automatically install too.
Some Android phone manufacturers are slow to patch, so you should contact them to make sure they update it as soon as possible.
The patch for Chrome will be installed on January 23 and some Chromebooks had a mitigation in its OS 63, released in December, write Wired.
If don't want to wait until then an experimental feature from Google called Site Isolation can help in the meantime. This feature makes it harder for malicious websites to access data from other websites you are looking at, writes Cnet.
To use this feature on Windows, Mac, Linux, Chrome OS or Android copy and paste chrome://flags/#enable-site-per-process into the URL in Chrome. Click 'Strict Site Isolation' and then press 'Enable'.
Save your work and then press 'Relaunch now'.
A few Chromebooks are not expected to get the patch because they are too old. Here is a full list (look for 'no' in the right-hand column).
According to Google no other products are affected by these vulnerabilities.
Microsoft - Windows 10 patch available, older versions to come
The company says its web services have been updated.
Major cloud services aimed at business customers, including Amazon Web Services, Google Cloud Platform and Microsoft Azure, say they have already patched most of their services
Consumers should check with their device maker and operating system provider for security updates and install them as soon as possible.