After the news that practically all processors are vulnerable to security breaches through their inherent design, ARM has joined other tech companies in acknowledging the vulnerabilities, and detailing which of its Cortex processors are affected.
In a blog post to developers, the company laid out the three known vulnerabilities - two of which have been jointly named Spectre and the third labeled Meltdown - as well as a fourth "variant" related to Meltdown. The company released a chart showing that its entire A-series was susceptible to Spectre, and that only its A75 chip had the Meltdown vulnerability. The A15, A57 and A72 chips can also be exploited by the Meltdown variant, but stated that "In general, it is not believed that software mitigations for this issue are necessary." The company was also pointed in stating that not all ARM chips were affected, only those listed in the chart.
The post then listed a variety of Linux fixes for the different vulnerability variants. The company pointed developers to Google for Android fixes - which Google released yesterday - and telling other OS users to contact the OS maker for their solutions. ARM's Cortex A8, A9, and A15 chips have been used in numerous older iOS devices, as well as Nvidia Tegra units and earlier Samsung Exynos smartphones. A9 was also used in the PlayStation Vita. Later Cortex chips have been used in Google Pixel devices and some Qualcomm Snapdragon devices.
By all accounts, these vulnerabilities have been known for months, with fixes being worked on by the various hardware and software makers in secret so as not to alert the hacking community before proper fixes and mitigations were in place. The early discovery by the media forced companies to move up the timetables on their fixes and explanations. Reports and fixes were originally all supposedly timed to go out on January 9, or a Patch Tuesday. Google's Project Zero team, which first found the vulnerabilities, will still have a complete report coming then.
ARM also did its own report, called the Cache Speculation Side-channels whitepaper. The company recommended that all developers read it to get more in-depth details on how the vulnerabilities work and how they can best be mitigated.
As for future ARM development, the company said it will be prepared:
All future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches.
Arm recommends that the software mitigations described in the Cache Speculation Side-channels whitepaper be deployed where protection against malicious applications is required. Arm's expert Security Response Team will continue to research any potential mitigations working closely with our customers and partners.
Intel has responded to how the vulnerabilities affected its processors, but also called out AMD and ARM for similar issues. AMD has responded as well, but said it has found that Spectre's impact would be minimal and that Meltdown does not affect AMD at all because of the way the processor is designed.