As the news of a wide-spread vulnerability in Intel and AMD CPUs spread across the globe, the tech ecosystem went straight into panic mode. Google was in the forefront of this action as its Project Zero group was one of the teams which discovered this vulnerability in 2017 and set in motion the measures that all device manufacturers in the world are now taking to thwart these major threats..
Meltdown and Spectre exploit critical vulnerabilities in most modern processors, built by Intel, AMD and ARM. Since they are hardware bugs, they are that much harder to fix. Plainly put, the two loopholes allow programs to steal data currently being processed on the computer.
According to Google’s Security blog post, the security flaw in most modern processors enabled the attackers to read protected system memory including passwords, encryption keys, or other sensitive information. And this is bad because the said data should be inaccessible to other programs, which is the restriction the vulnerabilities remove.
The speculative exception process (Spectre), if you’re unaware, is an optimization technique that is used by computers to perform some tasks before they usually need to occur. This means that the CPU knows which programs may come in handy and need to be executed earlier, so as to prevent any delays. Unfortunately, this main step can be accessed by any unauthorized program to run away with your private data.
If this sounds a bit unrelatable, you can check out this simple analogy used we used to explain how this vulnerability exploits your system data.
Upon further investigation, Google found that three different variants of malicious code can be used to intrude on a user’s computer via this CPU vulnerability. While the first two are being referred to as ‘Spectre’, the third one has been codenamed ‘Meltdown’.
There is no common fix for all 3 strains of attack methods and each of them requires independent protection.
Google’s Security Efforts
As for Google, it was quick on its feet and immediately relayed the info about this massive vulnerability to chipmakers, while also taking measures to protect their own systems and data stored in the cloud. It has joined hands with numerous software and hardware partners to mitigate the loss of user privacy and data on the Internet. Here’s a rundown of the different Google products and its current attack mitigation state:
The search giant has asserted that the latest ‘January security patch’ comes packed with a set of mitigations to reduce the chance of an attack on all ARM-based Android devices. But, in sort of a humblebrag, it has added that exploit was quite difficult to achieve and limited in scope on Android devices.
Only Intel-powered Chromebooks are affected by this vulnerability whereas the ARM ones are free of unexpected intrusions. Google has already included a patch for “Intel Chrome OS devices on kernels 3.18 and 4.4” but plans to further bolster its security with future Chrome OS releases.
Google Cloud Platform
This was the first Google platform to attract attention from the tech giant once the critical security flaw was discovered. While most of its cloud engines are protected against this attack, but some form of user interaction may be need from your end.
In addition, other Google hardware products like the Chromecast, Wi-Fi, G Suite, as well as Google Home are unaffected by this critical CPU vulnerability. The big question is whether other hardware makers will be able to patch this CPU vulnerability in time.