Google's Project Zero Team Discovered Critical CPU Flaw Last Year (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: In a blog post published minutes ago, Google's Security team announced what they have done to protect Google Cloud customers against the chip vulnerability announced earlier today. They also indicated their Project Zero team discovered this vulnerability last year (although they weren't specific with the timing). The company stated that it informed the chip makers of the issue, which is caused by a process known as "speculative execution." This is an advanced technique that enables the chip to essentially guess what instructions might logically be coming next to speed up execution. Unfortunately, that capability is vulnerable to malicious actors who could access critical information stored in memory, including encryption keys and passwords. According to Google, this affects all chip makers, including those from AMD, ARM and Intel (although AMD has denied they are vulnerable). In a blog post, Intel denied the vulnerability was confined to their chips, as had been reported by some outlets. The Google Security team wrote that they began taking steps to protect Google services from the flaw as soon as they learned about it.
There's two separate issues. One is specific to pulling things from core memory in Intel chips, the other is an architectural issue which impacts all chips made in the last decade or so and cannot be patched. They're focusing on the Intel one because that can be patched whereas the architectural issue requires a redesign that isn't in place yet, will probably take years to pass QA properly and have the masks manufactured, and will require a complete recall of every chip made after the 90's. From the Snowden and other leaks we learned that all the hacker tools can leak without issue because nobody actually cares to exploit them but governments and corporations anyway - and they're pretty quiet about it most of the time. Additionally we've known that between Intel ME and AMD's equivalent all the chips were already compromised. This is nothing new. We're already running through barbed wire naked and nobody gives a shit, if anything this revelation of a security hole which can be patched is to make people believe things will be safe if they stick some more spyware on their machine because the quality of data from people who know their spied on is lower than those that don't.