Google's Project Zero has revealed details of a vulnerability that impacts Intel chips going back to 1995, and confirmed rumours that it involved the use of speculative execution.
Importantly for users of AMD chips, the search giant went against comments made earlier in the week from chip manufacturer that said it was not affected.
"These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them," Google said in a blog post.
AMD later clarified that it believes there is "near zero risk" to its processors.
The flaw was discovered by Project Zero researcher Jann Horn, and would allow an attacker to read memory that should be inaccessible. This would permit an attack on a virtual machine to read the memory of the host machine, and could thereby read the memory of other VMs hosted on that machine.
There are three parts to the attack, Google said, which need to be patched independently.
"All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc," the search giant said.
According to the blog post, the flaw occurs when a speculative execution path is not taken, and the CPU state is unwound. Modern CPUs use speculative execution to increase performance by preemptively executing likely code branches to be taken; however, there is always a chance that execution may not follow the expected path.
The flaws have already been dubbed Meltdown and Spectre, with designations CVE-2017-5753 and CVE-2017-5715 allocated to Spectre, and vulnerability CVE-2017-5754 allocated to Meltdown.
Patches for the flaws are already developed for Windows, macOS, and Linux, while Google has been busy patching its systems.
Mitigations for Android have been included in its January 5 patches, with future updates to happen due to the fixes in Linux. However, given the failure or tardiness of many Android vendors to update their devices with security updates, many on the mobile operating system are likely to remain vulnerable until a new phone is purchased.
"On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices," Google said.
Enabling site isolation within Chrome helps mitigate against the attack, a Chromium security note said, while mitigations within its V8 interpreter are due in Chrome 64, set for release on January 23rd.
In a more detailed blog post, Horn said he reported the trio of flaws to Intel, AMD, and ARM on June 1, 2017, and for certain Intel and AMD CPU models, there were "exploits that work against real software".
Horn said a Spectre proof was developed that allowed for arbitrary memory reads in a 4GiB range on an Intel Xeon e5-1650 v3 processor, and allowed kernel virtual memory to be read at 2000 bytes per second after 4 seconds of startup time. Enabling the kernel's BPF JIT compiler permits for the same attack to work on an AMD PRO A8-9600 R7.
While there have been concerns that patching the flaw could hit performance by a double-digit percentage, Linus Torvalds told ZDNet it will depend on workload.
"I think 5 percent for a load with a noticeable kernel component (eg, a database) is roughly in the right ballpark," he said. "But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation."
Amazon said that "all but a small single-digit percentage" of instances on its EC2 service are already protected, with the rest to follow in the hours to come.
"While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems," Amazon said in a statement.
"Updated EC2 Windows AMIs will be provided as Microsoft patches become available."
For its part, DigitalOcean said reboots of customer Droplets could be needed, and would be scheduled if determined to be the correct course of action.
"Unfortunately, the strict embargo placed by Intel has significantly limited our ability to establish a comprehensive understanding of the potential impact," DigitalOcean said.