Google details Meltdown and Spectre flaws that could affect Intel, AMD, and ARM chips
That Intel security flaw you’ve heard about may not be specific to Intel after all. The chipmaker’s stock took a hit after reports of a hardware bug, but according to researchers at Google’s Project Zero, these errors could let someone filch data from devices powered by Intel, AMD, and ARM.
These are the same folks that first identified the problem (it was reported to the chipmakers in June 2017), and Intel and other firms had planned to reveal it next week, when there would be updates to fix the issue. However, they’ve since broken the silence in order to address reports of the flaw, which leaked ahead of time.
The big news is obviously that the problem could be more widespread than initially thought, with PCs, smartphones, and servers all affected. Furthermore, these findings run contrary to AMD’s initial statement that its chips were not vulnerable.
That said, AMD has responded with a second statement, saying it still believes its processors remain above the fray:
To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time.
Google says there are three parts to the attack, all of which need to be patched independently.
In a nutshell, the exploit can allow a process with normal user privileges unauthorized access to memory data, which may contain sensitive material such as passwords. For instance, someone attacking a virtual machine could access the memory of the host machine, and then move on to the memory of other VMs hosted on that system.
The flaws have been dubbed Meltdown and Spectre, and the former is the one at the center of the issue. It uses speculative execution to break the “fundamental isolation” between apps and the OS in an attempt to obtain data.
Modern CPUs improve performance by using speculative execution to preemptively execute likely code branches. Unfortunately, the processor can get ahead of itself and execute instructions that it should not, and a hacker can trick it into allowing unprivileged code into the kernel's memory.
Spectre uses a similar approach to bypass the separation between apps, but it’s also more difficult to exploit.
The good news is that fixes are already available. Google says that Android phones with the latest security update are safe, as are devices like Google Home, Chromecast, and Google WiFi.
Microsoft has also issued an off-schedule Windows security update to patch the problem. Patches for Linux and MacOS are ready as well.
As for the reported performance hit that comes with the patches, that appears to depend a lot on the type of workload.