Google Online Security Blog: Today's CPU vulnerability: what you need to know

Authored by security.googleblog.com and submitted by iIBuono

All Google products not explicitly listed below require no user or customer action.

Devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.

Supported Nexus and Pixel devices with the latest security update are protected.

Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):

No additional user or customer action needed.

Some user or customer action needed. More information here.

Some additional user or customer action needed. More information here.

Google App Engine: No additional customer action needed.

Google Compute Engine: Some additional customer action needed. More information here.

Google Kubernetes Engine: Some additional customer action needed. More information here.

Google Cloud Dataflow: Some additional customer action needed. More information here.

Google Cloud Dataproc: Some additional customer action needed. More information here.

All other Google Cloud products and services: No additional action needed.

To take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.

The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.

In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.

There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.

spazturtle on January 3rd, 2018 at 23:13 UTC »

So there are 2 bugs here, Meltdown which is the big one and in only on Intel x86 CPUs, and Spectre which affects Intel, AMD and ARM CPUs but is not as major.

Meltdown allows a rogue application to access the memory of anything else including the kernel and memory belonging to a higher ring. And Spectre allows a rogue application to access the memory of other applications running at the same level.

The big performance hit comes from the fix for Meltdown, fixing Spectre shouldn't incur a performance penalty and it can be fixed by the application, the fix might be able to be applied by compilers and libraries used by the application.

dpash on January 3rd, 2018 at 23:04 UTC »

It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.

So that's the crux of the issue.

RedditIsDogShit on January 3rd, 2018 at 22:55 UTC »

tl;dr Install the January 2018 Android security patch