Over the past 24 hours, the tech industry has been rocked by a wide-ranging CPU vulnerability. Discovered by Google’s Project Zero security team last year, details of the exploits have now of…
Over the past 24 hours, the tech industry has been rocked by a wide-ranging CPU vulnerability. Discovered by Google’s Project Zero security team last year, details of the exploits have now officially emerged. Meanwhile, Google has provided a full list of mitigation status for its products from Android to enterprise services.
Most modern CPUs, including Intel, AMD, and ARM, optimize performance with a technique called “speculative execution.”
In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.
Google’s security team tasked with finding zero-day vulnerabilities have discovered three variants and demonstrated that malicious code can read system memory that houses passwords, encryption keys, and other sensitive information.
All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.
Upon discovery of this vulnerability, Google worked with internal teams and industry partners to address the issues.
For its products, Google has a status page that list the current state of mitigations .
Meanwhile, Chrome 64 scheduled for release on January 23rd will contain mitigations while those who went extra security can enable a feature known as Site Isolation to isolate websites into separate address spaces.
Other consumer products like Google Home, Chromecast, Wifi, and OnHub are not affected. Google has a separate list covering its Cloud Platform Products and services. The Project Zero team also has a longer, more detailed blog post on the issue.
