Google has revealed its Project Zero findings on the “speculative execution” security flaws that have sent processor-makers into a tailspin today. The issue – which had initially been circulating as an Intel processor flaw, but which it now appears affects chips from multiple manufacturers – is, in fact, a number of vulnerabilities that exploit critical aspects of many processors since 1995. They’re generally being known as Meltdown and Spectre.
Meltdown is a failure of the isolation between the operating system of a computer, and the user’s applications. A successful attack allows a program to access the memory used by other programs and the OS. That, it’s suggested, could allow a hacker to extract sensitive data being used by other apps.
Spectre, meanwhile, does something similar only between different applications. It’s also based on fundamental flaws in the processors, though researchers say it’s tougher to exploit than Meltdown. Conversely, while there are software patches that effectively block Meltdown attacks, currently it’s far harder to mitigate against Spectre. Indeed, while specific, known exploits can be patched against, that’s not to say there won’t be new variations in future.
Google’s Project Zero researcher, Jann Horn, seemingly identified the speculative execution issues independently to other researchers. According to Google, the issue was initially intended to be disclosed on January 9th, 2018. However, “because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation” it has pulled the trigger early.
A site, Meltdownattack.com, hosted by the Graz University of Technology – researchers from which also reported both Meltdown and Spectre – has further details. If you were hoping to ignore the whole situation, you’ll probably be disappointed: most people are likely to be affected by the bug, and there’s no trace left of the exploitation even if you are. Antivirus software is “unlikely in practice” to spot either Meltdown or Spectre attacks at work.
If you’re a Google product user, the important thing you’ll probably want to know is whether your products are currently safe or not. Android devices with the latest security update, published earlier this month, are protected, while online services like Google Apps, G Suite, and the Google App Engine require no user action. Google Home and Chromecast, Google Wifi, and OnHub users are also in the clear. However, Chrome and Chrome OS users, along with some other Google Cloud Platform product users, may have to do something in order to secure their systems.
It’s worth noting Google’s warning that, though it may have patches, there’s still the risk of a new Meltdown or Spectre-related exploit being discovered in the future. “As this is a new class of attack,” Matt Linton, Senior Security Engineer and Pat Parseghian, Technical Program Manager, write, “our patch status refers to our mitigation for currently known vectors for exploiting the flaw.”
What’s unclear – and will remain that way until more of the patches hit systems – is just how much of an impact the fixes have on overall performance. Initial reports cautioned it could add up to a 30-percent hit or greater, though Intel said this afternoon that, for the average user, it would be at most a 2-percent slowdown of their system. Intel also points out that multiple chip-providers are affected, including its own processors and those from ARM; the latter has said its Cortex-A chipsets are vulnerable. However, though Google says it has identified vulnerability with AMD processors, AMD itself says they are not.