The newly revealed security flaws found in Intel processors were discovered months ago by Google's Project Zero security team and apparently exist in AMD and ARM chips as well. The chips use a method known as speculative execution, which led to the problems, according to a new Google security blog post.
After the vulnerabilities were found by team researcher Jann Horn, Google said it immediately began to look for fixes for its own products to secure user data, and has since updated its systems to implement those measures. It also said that it began working with hardware and software makers to share what it had learned and offered help in implement fixes to protect their users as well.
The Project Zero team found three ways that attackers could get malicious code onto a system that could read memory data such as passwords with only normal user privileges. The team offered this explanation on how speculative execution works and how it could allow for a breach:
In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.
Google said that many vendors already have various fixes to prevent attacks, but unfortunately, there is no single fix that addresses all three. Microsoft, which also pointed to AMD processors as well as those from Intel and ARM, obviously felt the flaw was substantial enough to not wait until Patch Tuesday to issue a fix.
For its part, Intel has refuted the notion of a bug or flaw in the processors, but acknowledged that the devices using their chips were susceptible. AMD went even further to say that its processors were not affected at all, something that the Project Zero team and Microsoft obviously disagree with.
As for the Google fixes, the team provided a list of its products that are not affected, and also what users need to do for devices and software that could be:
- All Google products not explicitly listed below require no user or customer action.
- Devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.
- Supported Nexus and Pixel devices with the latest security update are protected.
- Further information is available here.
- Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):
- No additional user or customer action needed.
- Google Chrome
- Some user or customer action needed. More information here.
- Google Chrome OS (e.g., Chromebooks):
- Some additional user or customer action needed. More information here.
- Google Cloud Platform
- Google App Engine: No additional customer action needed.
- Google Compute Engine: Some additional customer action needed. More information here.
- Google Kubernetes Engine: Some additional customer action needed. More information here.
- Google Cloud Dataflow: Some additional customer action needed. More information here.
- Google Cloud Dataproc: Some additional customer action needed. More information here.
- All other Google Cloud products and services: No additional action needed.
- Google Home / Chromecast:
- No additional user action needed.
- Google Wifi/OnHub:
- No additional user action needed.
Google said that other updates and fixes will be added as needed.
All of the parties affected had apparently been working quietly to get everything ready for a Patch Tuesday announcement on January 9, but the recent press reports and speculation seems to have forced everyone's hand.
Apparently, academics were also in on discovering the security issues, as two papers have been released on the three vulnerabilities. Two pertain to the currently dubbed Spectre, while the other has been named Meltdown. The papers offer a detailed look at the flaws.
The Project Zero team had originally planned on releasing its finding on January 9, but today's news forced the company to release what it has now to help mitigate any exploitation that may result for the extended press coverage of the flaws. The full report will still be issued, however, on the originally planned date.