Google’s Project Zero team discovers serious security flaws in Intel, AMD and ARM chips
Security flaws put virtually all phones and computers at risk. Here’s everything you need to know.
Security researchers at Google say they've discovered serious security flaws affecting computer processors built by Intel and other chipmakers.
Google's Project Zero team said on Wednesday that the flaw could allow bad actors to gather passwords and other sensitive data from a system's memory.
"The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc," said the company in a blog post.
"There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks. We will continue our work to mitigate these vulnerabilities and will update both our product support page and this blog post as we release further fixes. More broadly, we appreciate the support and involvement of all the partners and Google engineers who worked tirelessly over the last few months to make our users and customers safe."
The tech company disclosed the vulnerability not long after Intel said it's working to patch it. Intel says the average computer user won't experience significant slowdowns as it's fixed.
"We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts," say Google researchers.
Both Intel and Google said they were planning to disclose the issue next week when fixes will be available. Tech companies typically withhold details about security problems until fixes are available so that hackers wouldn't have a roadmap to exploit the flaws. But in this case, Intel was forced to disclose the problem Wednesday after British technology site The Register reported it, causing Intel's stock to fall.
Google says it also affects other processors and the devices and operating systems running them.
Although Intel cited rival AMD as among the companies it's working with to address the problem, AMD said in a statement that it believes its chips are safe because they use different designs.
Meanwhile, Reuters reports that Apple Inc and Microsoft Corp had patches ready for users for desktop computers affected by Meltdown. Microsoft declined to comment and Apple did not immediately return requests for comment.
Daniel Gruss, one of the researchers at Graz University of Technology who discovered Meltdown, called it "probably one of the worst CPU bugs ever found" in an interview with Reuters.
Gruss said Meltdown was the more serious problem in the short term but could be decisively stopped with software patches. Spectre, the broader bug that applies to nearly all computing devices, is harder for hackers to take advantage of but less easily patched and will be a bigger problem in the long term, he said.
Amazon Web Services, a cloud computing service used by businesses, said that most of its internet servers were already patched and the rest were in the process of being patched.
The defect affects the so-called kernel memory on Intel x86 processor chips manufactured over the past decade, The Register reported citing unnamed programmers, allowing users of normal applications to discern the layout or content of protected areas on the chips.
That could make it possible for hackers to exploit other security bugs or, worse, expose secure information such as passwords, thus compromising individual computers or even entire server networks.
Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said that businesses should quickly move to update vulnerable systems, saying he expects hackers to quickly develop code they can use to launch attacks that exploit the vulnerabilities. "Exploits for these bugs will be added to hacker's standard toolkits," said Guido.
(with inputs from Reuters)