It’s time for some damage control and repair … oh boy what a mess for Intel.
After Intel and AMD’s differing statements on the same issue, now is the time for Google, ARM, and Microsoft to release statements regarding the recently discovered (and still in the spotlight) security flaws that impact almost all Intel CPUs from the last decade. Google is the company that originally alerted Intel to the existence of the security vulnerabilities, and mentioned some reservations regarding AMD and ARM’s immunity as well. Microsoft, as the maker of the world’s most recognized and widely-used OS, has also issued a statement. The ARM statement follows, with both Google and Microsoft’s statements transcribed after the break.
ARM
This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.
Google
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.
As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.
We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.
Microsoft
We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.