Google’s Project Zero team discovered critical CPU flaw last year

In a blog post published minutes ago, Google’s Security team announced what they have done to protect Google Cloud customers against the chip vulnerability announced earlier today. They also indicated their Project Zero team discovered this vulnerability last year (although they weren’t specific with the timing).

The company stated that it informed the chip makers of the issue, which is caused by a process known as “speculative execution.” This is an advanced technique that enables the chip to essentially guess what instructions might logically be coming next to speed up execution. Unfortunately, that capability is vulnerable to malicious actors who could access critical information stored in memory, including encryption keys and passwords.

According to Google, this affects all chip makers, including those from AMD, ARM and Intel (although AMD has denied they are vulnerable). In a blog post, Intel denied the vulnerability was confined to their chips, as had been reported by some outlets.

The Google Security team wrote that they began taking steps to protect Google services from the flaw as soon as they learned about it. If you’re wondering why they didn’t tell the public about it as soon as they learned about it, it’s because there was supposed to be a coordinated release coming up next week (on January 9th). When the news leaked, Google, Intel and other interested parties decided to release the information to end speculation.

The good news is that if you are using Google Apps/G Suite, you don’t need to take any action. Other Google Cloud users will have to take some steps to mitigate their risk. You should read this post for specific details on which products and services require user action.