[UPDATED 1/4/2018 7:00AM ET with Microsoft comment and emergency patch information].
After a day of speculation over a reported design flaw in Intel processors, security researchers came clean late today with full disclosure of a new and widespread class of attack that affects most computers worldwide.
Researchers from Google's Project Zero Team, Cyberus Technology, Graz University of Technology, University of Pennsylvania and the University of Maryland, Rambus, and University of Adelaide and Data61, all discovered critical flaws in a method used by most modern processors for performance optimization that could allow an attacker to read sensitive system memory, which could contain passwords, encryption keys, and emails, for example. The vulnerabilities affect CPUs from Intel, AMD, and ARM, according to Google.
The two attacks, called Meltdown and Spectre, can be executed on desktop machines, laptops, mobile devices, and in cloud environments. That means an attacker could steal information from other cloud customers' systems, for example.
Meltdown allows user applications to pilfer information from the operating system memory, as well as secret information of other programs. "If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure," the researchers wrote in an FAQ about the attacks. "Luckily, there are software patches against Meltdown," referring to Linux, Windows, and OS X updates (not all of which are yet available, however).
Most Intel processors since 1995 are affected by Meltdown, with the exception of Intel Itanium and Intel Atom prior to 2013). Only Intel processors are confirmed to be affected by it so far.
Spectre forces an application to share its secrets, and is a more difficult attack to pull off. According to the researchers, application "safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre." It affects Intel, AMD, and ARM processors on desktops, laptops, cloud servers, and smartphones.
"Both attacks use side channels to obtain the information from the accessed memory location," the researchers said.
The researchers say they don't know if the exploits have been used in the wild.
Google senior security engineer Matt Linton, and technical program manager Pat Parseghian in a blog post today said Google went public with the vulns in advance of the planned January 9 coordinated disclosure date for all affected vendors "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
Microsoft released an emergency patch for Windows late in the evening, after providing this statement in response to the disclosure: "We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
Intel earlier in the day issued a statement, noting that it "believes these exploits do not have the potential to corrupt, modify or delete data." The chip vendors said it has been providing software and firmware updates to mitigate the attacks, and reports of peformance degradation won't "be significant" for the average use and "will be mitigated over time."
ARM issued a statement as well, noting that "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism."
Amazon also issued a statement: "This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications," Amazon said.
But fair warning: those updates protect AWS's underlying infrastructure only. Full protection requires the operating systems also be patched, Amazon noted.
- Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows
- The Long Tail of the Intel AMT Flaw
- How the Major Intel ME Firmware Flaw Lets Attackers Get 'God Mode' on a Machine