Mobile users who thought they were unaffected by the Meltdown flaw affecting Intel chips are suddenly not quite so secure. A second flaw, dubbed Spectre, has been discovered -- and this time it affects ARM processors, as well as Intel and AMD chips. This means that all mobile devices that use ARM architecture (and that's pretty much all of them) are now in danger of attack.

The flaws were discovered by several teams, working independently. Meltdown was detected by researchers working for Google Project Zero, and was reported to Intel in June last year.

The vulnerability was then picked up by teams at Graz University of Technology and Cyberus Technology. Jann Horn's team at Google Project Zero also identified Spectre first, but researchers from a variety of institutions also confirmed the flaw.

A blog post from the team at the Graz University sets out the difference between the two flaws. "Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location."

Good and Bad News

There's good and bad news about Spectre: the, relatively, good news is that it's a harder flaw to exploit, not something that's likely to be exploited by the archetypal teenage hacker sitting in his bedroom, but it's a weakness that could well be exploited by state security services and criminal gangs. However, the bad news is that there's no known fix for the flaw. There are, however, no known attacks in the wild.

In a statement, Intel said it was working with ARM and AMD to address the flaw. ARM has put out a security briefing note, indicating which chips could have been affected by Spectre. The company also advises its users to ensure that users are careful to follow good practice to stay as safe as possible. "It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads," said the company in its briefing note.