Over the past 24 hours, the tech industry has been rocked by a wide-ranging CPU vulnerability. Discovered by Google’s Project Zero security team last year, details of the exploits have now officially emerged. Meanwhile, Google has provided a full list of mitigation status for its products from Android to enterprise services.
Most modern CPUs, including Intel, AMD, and ARM, optimize performance with a technique called “speculative execution.”
In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.
Google’s security team tasked with finding zero-day vulnerabilities have discovered three variants and demonstrated that malicious code can read system memory that houses passwords, encryption keys, and other sensitive information.
All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.
Upon discovery of this vulnerability, Google worked with internal teams and industry partners to address the issues.
There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.
For its products, Google has a status page that list the current state of mitigations.
On Android, the January security patch — specifically the later 2018-01-05 update — released yesterday includes mitigations to reduce access and limit the attack “on all known variants on ARM processors.” Google notes that “exploitation has been shown to be difficult and limited on the majority of Android devices,” with future updates adding more protections.
Meanwhile, Chrome 64 scheduled for release on January 23rd will contain mitigations while those who went extra security can enable a feature known as Site Isolation to isolate websites into separate address spaces.
For Chrome OS, version 63 released in December includes patches for “Intel Chrome OS devices on kernels 3.18 and 4.4.” ARM Chrome OS devices are not affected, but the patch used on Intel devices will be making its way in a future release.
Other consumer products like Google Home, Chromecast, Wifi, and OnHub are not affected. Google has a separate list covering its Cloud Platform Products and services. The Project Zero team also has a longer, more detailed blog post on the issue.