After news broke a little ahead of schedule about a major security vulnerability affecting most Intel processors released in the past decade, Intel issued a brief statement stating, among other things, that it’s not the only company whose products are affected.
Now more details have been released and it looks like Google’s Project Zero security team, along with other security researchers, discovered a set of vulnerabilities and it looks that’s true: AMD and ARM-based chips are also vulnerable to some, but not all of the exploits that can be used to collect sensitive data that’s supposed to be protected.
The vulnerabilities were discovered last year, and Google has been working with chip makers and software developers to create operating system and firmware updates to protect users. The good news is that updates are already in place and/or rolling out. The less good news is that the software workarounds for this hardware issue could lead some computers, phones, or other devices to perform certain activities a little more slowly.
In a nutshell, Google found two new exploits, code-named Spectre and Meltdown. They both allow software running on a computer to access sensitive data from kernel memory including passwords or other information that’s meant to be protected. If your computer hasn’t been patched with an appropriate software update, malware running on your computer could be used to steal data from applications that are otherwise following best security practices.
Both vulnerabilities make use of speculative execution to access data that should normally be protected, including passwords or encryption keys.
While Meltdown has only been verified to affect Intel processors, Spectre affects chips from Intel, AMD, and ARM.
Pretty much all Intel processors released since 1995 are affected. ARM notes that most of its processor designs are not affected… but those that are affected include most of the company’s top-tier designs from the past few years including Cortex-A75, Cortex-A73, Cortex-A72, Cortex-A57-, Cortex-A17, and Cortex-A9.
AMD says there’s a “near-zero” risk to its processors because of differences in its architecture, and Google does note that the Spectre vulnerability is harder to exploit. But it seems clear that until new chips that aren’t vulnerable to either attack are released, software updates are our best bet.
It’s unclear if there’s any malware out there that makes use of Meltdown or Spectre, because the attacks are hard to detect. After discovering the issues, Google took steps to protect its products and began working with chip makers and software developers, which is why Microsoft, Apple, and Linux developers already have fixes in progress.
Google says Android devices with the latest security update are protected (which is good news for Nexus and Pixel users, I guess), and that it hasn’t seen a way to use either exploit to get protected data from an ARM-based Android device anyway.
Other Google products including Google Home, Chromecast, and Google WiFi are already up to date, and most Google Cloud Platform services are good to go, while a few require some user intervention.
Google Chrome OS 63 is patched, as is the Chrome 64 browser (set to launch later this month).
Microsoft is rolling out an update for Windows today. Apple already has a partial fix in place, with more updates on the way. And Linux kernel developers have added patches to Linux kernel 4.15, which is part of how we know that some tasks will run more slowly on patched systems.
If you’re looking for more details, you can check out the research papers (PDF links) Meltdown and Spectre, but I’d recommend checking out Ars Technica’s coverage for a pretty good breakdown of the situation in layman’s terms.