While yesterday’s Intel, AMD and ARM CPU vulnerabilities suggested that an entire generation of devices have been open to serious attack, it seems that companies have known about the flaws for some time.
Case in point, Google’s Project Zero security analysis team published a report on January 3rd, 2018 outlining the team’s efforts to mitigate CPU risks to Google products. What’s interesting to note is that the Project Zero team purports to have first learned about these security flaws “last year.”
“The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible,” reads an excerpt from a January 3rd, 2018 media release.
Google has also published a full list of products affected by the CPU security flaws, including Android, Google Apps, G Suite, the Google Chrome Browser, Google Chrome OS and a variety of Google Cloud Platform Products and Services.
“As this is a new class of attack, our patch status refers to our mitigation in many products (or wasn’t a vulnerability in the first place),” reads another excerpt from the same January release. “In some instances, users and customers may need to take additional steps to ensure they’re using a protected version of a product.”
The Project Zero team also said that its discovered three specific methods of attack, “which are effective under different conditions.”
“There is no single fix for all three attack variants; each requires protection independently,” reads another excerpt. “Many vendors have patches available for one of more of these attacks.”
Source: Google Security Blog