After news broke a little ahead of schedule about a major security vulnerability affecting most Intel processors released in the past decade, Intel issued a brief statement stating, among other things, that it’s not the only company whose products are affected.
Now more details have been released and it looks like Google’s Project Zero security team, along with other security researchers, discovered a set of vulnerabilities and it looks that’s true: AMD and ARM-based chips are also vulnerable to some, but not all of the exploits that can be used to collect sensitive data that’s supposed to be protected.
The vulnerabilities were discovered last year, and Google has been working with chip makers and software developers to create operating system and firmware updates to protect users. The good news is that updates are already in place and/or rolling out. The less good news is that the software workarounds for this hardware issue could lead some computers, phones, or other devices to perform certain activities a little more slowly.
In a nutshell, Google found two new exploits, code-named Spectre and Meltdown. They both allow software running on a computer to access sensitive data from kernel memory including passwords or other information that’s meant to be protected. If your computer hasn’t been patched with an appropriate software update, malware running on your computer could be used to steal data from applications that are otherwise following best security practices.
Both vulnerabilities make use of speculative execution to access data that should normally be protected, including passwords or encryption keys.
While Meltdown has only been verified to affect Intel processors, Spectre affects chips from Intel, AMD, and ARM.
Pretty much all Intel processors released since 1995 are affected. ARM notes that most of its processor designs are not affected… but those that are affected include most of the company’s top-tier designs from the past few years including Cortex-A75, Cortex-A73, Cortex-A72, Cortex-A57-, Cortex-A17, and Cortex-A9.
AMD says there’s a “near-zero” risk to its processors because of differences in its architecture, and Google does note that the Spectre vulnerability is harder to exploit. But it seems clear that until new chips that aren’t vulnerable to either attack are released, software updates are our best bet.
It’s unclear if there’s any malware out there that makes use of Meltdown or Spectre, because the attacks are hard to detect. After discovering the issues, Google took steps to protect its products and began working with chip makers and software developers, which is why Microsoft, Apple, and Linux developers already have fixes in progress.
Google says Android devices with the latest security update are protected (which is good news for Nexus and Pixel users, I guess), and that it hasn’t seen a way to use either exploit to get protected data from an ARM-based Android device anyway.
Other Google products including Google Home, Chromecast, and Google WiFi are already up to date, and most Google Cloud Platform services are good to go, while a few require some user intervention.
Google Chrome OS 63 is patched, as is the Chrome 64 browser (set to launch later this month).
Microsoft is rolling out an update for Windows today. Apple already has a partial fix in place, with more updates on the way. And Linux kernel developers have added patches to Linux kernel 4.15, which is part of how we know that some tasks will run more slowly on patched systems.
If you’re looking for more details, you can check out the research papers (PDF links) Meltdown and Spectre, but I’d recommend checking out Ars Technica’s coverage for a pretty good breakdown of the situation in layman’s terms.
I wonder if this affects iPhones (or iOS devices)?
….and if it does affect Android, we’re all screwed because no-one’s getting a security fix.
Maybe the Pixel 2 and Sony flagships, since that’s where most development occurs.
People using Samsung, LG, HTC, Moto, Huawei, OnePlus, Xiaomi, Nokia, ZTE are screwed for sure.
Not sure where Blackberry lies, since they’re usually update-irresponsible but security-responsible, they may be in a pickle.
The article says the latest security patch covers it, but it doesn’t give the date of that security patch. Most phones receiving patches tend to be about 2-6 months behind (e.g. mine is August 2017, probably received in October), so it would be nice to know the date of the security patch.
Raspberry Pi 3 safe! 😀
Thats why I still use Abacus.
Ugh. Me caveman. What is this abacus? Why not use pebbles?
Eh caveman, pebbles get bugs too. Dumb-dumb.
True, it was recently discovered that, due to a vulnerability inherent in pebble hardware, unencrypted data can be read directly from a pebble-based system. Further, root access can be trivially obtained by anyone with physical access or a reaching stick.
Yay, no intel chips on most of my critical machines 😀
It’s a bit confusing for now as there are multiple teams working on this , not just Google.
ARM lists some of their high end cores as vulnerable to Meltdown or a variant and maybe it’s not quite certain that AMD can’t be impacted by Meltdown.
Google or ARM claim fixes but , on the other hand, we hear that there is no fix for Spectre and even the Meltdown patch is maybe not 100% safe.
At this point, it seems that we need new hardware,when it becomes available and that takes a while.
And people wonder why I still use a 486DX66.
And we’re still wondering…
To sum it up, Meltdown is the security flaw that is exclusive to Intel. AMD processors are unaffected by it, hence Linux excluding them from the fix in going forward. Meltdown’s patches will result in a 5-30% performance deficent in going forward. Spectre is much less dangerous but also harder to patch.