The discovery of security flaws built into Intel’s processors was apparently found last year by the Google security team. The flaw was also found to be in AMD and ARM processors as well.
The newly revealed security flaws found in Intel processors were discovered months ago by Google’s Project Zero security team and apparently exist in AMD and ARM chips as well. The chips use a method known as speculative execution, which led to the problems, according to a new Google security blog post.
After the vulnerabilities were found by team researcher Jann Horn, Google said it immediately began to look for fixes for its own products to secure user data, and has since updated its systems to implement those measures. It also said that it began working with hardware and software makers to share what it had learned and offered help in implement fixes to protect their users as well.
The Project Zero team found three ways that attackers could get malicious code onto a system that could read memory data such as passwords with only normal user privileges. The team offered this explanation on how speculative execution works and how it could allow for a breach:
Google said that many vendors already have various fixes to prevent attacks, but unfortunately, there is no single fix that addresses all three. Microsoft, which also pointed to AMD processors as well as those from Intel and ARM, obviously felt the flaw was substantial enough to not wait until Patch Tuesday to issue a fix.
For its part, Intel has refuted the notion of a bug or flaw in the processors, but acknowledged that the devices using their chips were susceptible. AMD went even further to say that its processors were not affected at all, something that the Project Zero team and Microsoft obviously disagree with.
As for the Google fixes, the team provided a list of its products that are not affected, and also what users need to do for devices and software that could be:
Google said that other updates and fixes will be added as needed.
All of the parties affected had apparently been working quietly to get everything ready for a Patch Tuesday announcement on January 9, but the recent press reports and speculation seems to have forced everyone’s hand.
Apparently, academics were also in on discovering the security issues, as two papers have been released on the three vulnerabilities. Two pertain to the currently dubbed Spectre, while the other has been named Meltdown. The papers offer a detailed look at the flaws.
The Project Zero team had originally planned on releasing its finding on January 9, but today’s news forced the company to release what it has now to help mitigate any exploitation that may result for the extended press coverage of the flaws. The full report will still be issued, however, on the originally planned date.
