The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.
As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.
We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation. The full Project Zero report is forthcoming (update: this has been published; see above).
Mitigation status for Google products
A list of affected Google products and their current status of mitigation against this attack appears here. As this is a new class of attack, our patch status refers to our mitigation for currently known vectors for exploiting the flaw. The issue has been mitigated in many products (or wasn’t a vulnerability in the first place). In some instances, users and customers may need to take additional steps to ensure they’re using a protected version of a product. This list and a product’s status may change as new developments warrant. In the case of new developments, we will post updates to this blog.
- All Google products not explicitly listed below require no user or customer action.
- Devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.
- Supported Nexus and Pixel devices with the latest security update are protected.
- Further information is available here.
- Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):
- No additional user or customer action needed.
- Google Chrome
- Some user or customer action needed. More information here.
- Google Chrome OS (e.g., Chromebooks):
- Some additional user or customer action needed. More information here.
- Google Cloud Platform
- Google App Engine: No additional customer action needed.
- Google Compute Engine: Some additional customer action needed. More information here.
- Google Kubernetes Engine: Some additional customer action needed. More information here.
- Google Cloud Dataflow: Some additional customer action needed. More information here.
- Google Cloud Dataproc: Some additional customer action needed. More information here.
- All other Google Cloud products and services: No additional action needed.
- Google Home / Chromecast:
- No additional user action needed.
- Google Wifi/OnHub:
- No additional user action needed.