Google's Project Zero security team, which focuses on discovering zero-day vulnerabilities, says that it identified the serious chip flaw announced yesterday last year, and told chip makers about it at the time.
It is now clear that there are two vulnerabilities. One, known as ‘Meltdown', was covered on our sister site Computing yesterday and affects Intel chips. The other, ‘Spectre', is said to affect hardware by all chip makers.
Google says that the flaws are caused by ‘speculative execution' (this was rumoured but not confirmed yesterday), a technique used by most modern CPUs to optimise performance.
CPUs use speculative execution to work more quickly, beginning to execute instructions that are considered likely to take place. If the assumptions are valid, then the execution continues; if not, they are unwound and the correct execution path can be started.
This technique can have side effects: namely, not all data is deleted when the CPU state is unwound, and that means that some information can remain cached and accessible later.
More importantly, Google says that the Spectre vulnerability applies to chips from all vendors, which AMD denied yesterday. The Project Zero post states, ‘These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.'
In a statement, Intel has said that the flaw is not a bug and says that it is working with other chip makers, include AMD and ARM; although AMD still insists that its hardware is not vulnerable. An earlier statement statement said:
‘To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time.'
Intel also noted that the average computer user should not be affected by performance impacts stemming from fixes, as reported yesterday.
In related news, it has been alleged that Intel CEO Brian Krzanich knew about the vulnerability when he sold off a large chunk of his shares in the company last year. Krzanich made $24 million by selling the majority of his stake in late November.
The sale caused some comment at the time, as it left Krzanich with just 250,000 shares - the bare minimum required by Intel under the terms of his employment.
An Intel representative said that the sale was pre-planned and unrelated to the discovery of the vulnerability, which Google apparently shared with Intel in June - although Krzanich only arranged the sale in October, months after the news was apparently shared.
Wikileaks Vault 7 suspect Joshua Schulte fingered by FBI after re-using smartphone passwords on his PCs
Joshua Schulte indicted on 13 counts relating to Vault 7 leaks and trading in images of child abuse
Alexa for Hospitality will link with existing systems so guests can order room service and control the air con
Massive volcanic eruptions could have warmed Mars' surface sufficiently for oceans to form
Examination of fruit flies' brains generated more than one billion data points for scientists to analyse