Thursday, January 4th 2018

Google, ARM, Microsoft Issue Statements Regarding Discovered Security Flaws

After Intel and AMD's differing statements on the same issue, now is the time for Google, ARM, and Microsoft to release statements regarding the recently discovered (and still in the spotlight) security flaws that impact almost all Intel CPUs from the last decade. Google is the company that originally alerted Intel to the existence of the security vulnerabilities, and mentioned some reservations regarding AMD and ARM's immunity as well. Microsoft, as the maker of the world's most recognized and widely-used OS, has also issued a statement. The ARM statement follows, with both Google and Microsoft's statements transcribed after the break.

ARM
This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.
Google
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.

As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.

We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming.

Microsoft
We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers. Sources: The Verge, AXIOS, Google Security Blog, via Videocardz
Add your own comment

10 Comments on Google, ARM, Microsoft Issue Statements Regarding Discovered Security Flaws

#1
Fluffmeister
When this news initially broke, all i could think of was.... I love that Spectre logo!
Posted on Reply
#2
P4-630
The Way It's Meant to be Played
<div class="youtube-embed" data-id="wJnBTPUQS5A"><img src="https://i.ytimg.com/vi/wJnBTPUQS5A/hqdefault.jpg" /><div class="youtube-play"></div><a href="https://www.youtube.com/watch?v=wJnBTPUQS5A" target="_blank" class="youtube-title"></a></div>
Posted on Reply
#3
hellrazor
"Raevenlord said:
Microsoft, as the maker of the world's most [...] widely-used OS, has also issued a statement.
For shame.
Posted on Reply
#5
R-T-B
"Fluffmeister said:
When this news initially broke, all i could think of was.... I love that Spectre logo!
Spectre: This ain't casper, man... He has a stick.
Posted on Reply
#6
lexluthermiester
Microsoft; " We have not received any information to indicate that these vulnerabilities had been used to attack our customers. "
Rubbish. When the US government and most of the governments in the EU send out wide-spread advisories, it's been used in the wild. The question is when, how bad and by whom...
Posted on Reply
#7
nem..
the pandora's box
[MEDIA=twitter]949070930378133505[/MEDIA]
Posted on Reply
#8
lexluthermiester
"nem.. said:
the pandora's box
[MEDIA=twitter]949070930378133505[/MEDIA]

Love that! This is exactly why I'm a diehard user and promoter of Noscript and Adblockers.

EDIT; For your enjoyment... The ones labeled 512 are 512 pixels wide...

These are mean't to be a fun joke and are in no way an implication that I'm taking sides on this issue..
Posted on Reply
#9
theoneandonlymrk
Im going with this thread to ask this question since the others are specific to thing's.
Where are the reasurances on itanium, power pc , via And the newcomers from Russia and China and everything apple as even behind the walled garden the hardware is all but the same, be nice to Know.

Apparently Apple has been vocal ,all their stuff is affected but no known application

https://support.apple.com/en-us/HT208394
Posted on Reply