Large companies begin to release statements about the vulnerability of x86 processors, which according to Google and Microsoft, affects not only Intel processors, but also AMD and ARM.
Last night, at the last minute, we echoed the note published by Intel about the security breach detected in its processors. More companies are publishing press releases about this vulnerability, detected by Google researchers and called Meltdown and Specter. The security patch should have been released on January 9, but under the circumstances, the researchers have brought it to light and the companies that are involved in this have already begun to pronounce on it.
Table of Contents
Project Zero researcher Jann Horn demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party can read confidential information in system memory, such as passwords, encryption keys, or confidential information opened in applications. The tests also showed that an attack running on one virtual machine could access the physical memory of the host machine and through that gain read access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems that run them.
As soon as we learned of this new kind of attack, our security and product development teams mobilized to defend Google systems and our users' data. We have updated our affected systems and products to protect against this new type of attack. We also collaborate with industry hardware and software manufacturers to help protect their users and the web in general. These efforts have included collaborative analysis and the development of new mitigations.
We are publishing ahead of an originally coordinated release date of January 9, 2018 due to existing public reports and increasing speculation in the press and security research community on the subject, increasing the risk of exploitation. The full report of Project Zero is available.
AMD
Today there is much speculation about a possible security problem related to modern microprocessors and speculative execution. As we often do when a potential security issue is identified, AMD has been working across our ecosystem to assess and respond to the speculative execution attack identified by a security investigation team to ensure our users are protected.
To be clear, the security research team identified three variants aimed at speculative execution. The threat and response to all three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD architecture, we believe there is a near zero risk for AMD processors at this time. We hope that the security investigation will be released later and will provide more updates at that time.
ARM
This method requires malware to run locally and could result in privileged memory access to data. Our Cortex-M processors, which are present in low-power connected IoT devices, are not affected.
MICROSOFT
We are aware of this issue across the industry and have been working closely with chipmakers to develop and test mitigations to protect our customers. We are in the process of implementing mitigations for cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information indicating that these vulnerabilities have been used to attack our customers.
