Google: Chip flaw affects all makers, and we told them about it last year

The vulnerability uses a technique called speculative execution to uncover sensitive information

Google's Project Zero security team, which focuses on discovering zero-day vulnerabilities, says that it identified the serious chip flaw announced yesterday last year, and told chip makers about it at the time.

It is now clear that there are two vulnerabilities. One, known as ‘Meltdown', was covered on our sister site Computing yesterday and affects Intel chips. The other, ‘Spectre', is said to affect hardware by all chip makers.

Google says that the flaws are caused by ‘speculative execution' (this was rumoured but not confirmed yesterday), a technique used by most modern CPUs to optimise performance.

CPUs use speculative execution to work more quickly, beginning to execute instructions that are considered likely to take place. If the assumptions are valid, then the execution continues; if not, they are unwound and the correct execution path can be started.

This technique can have side effects: namely, not all data is deleted when the CPU state is unwound, and that means that some information can remain cached and accessible later.

More importantly, Google says that the Spectre vulnerability applies to chips from all vendors, which AMD denied yesterday. The Project Zero post states, ‘These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.'

In a statement, Intel has said that the flaw is not a bug and says that it is working with other chip makers, include AMD and ARM; although AMD still insists that its hardware is not vulnerable. An earlier statement statement said:

‘To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time.'

Intel also noted that the average computer user should not be affected by performance impacts stemming from fixes, as reported yesterday.

In related news, it has been alleged that Intel CEO Brian Krzanich knew about the vulnerability when he sold off a large chunk of his shares in the company last year. Krzanich made $24 million by selling the majority of his stake in late November.

The sale caused some comment at the time, as it left Krzanich with just 250,000 shares - the bare minimum required by Intel under the terms of his employment.

An Intel representative said that the sale was pre-planned and unrelated to the discovery of the vulnerability, which Google apparently shared with Intel in June - although Krzanich only arranged the sale in October, months after the news was apparently shared.