All Google products not explicitly listed below require no user or customer action.

Android

Devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.



Supported Nexus and Pixel devices with the latest security update are protected.



Further information is available here.

Google Apps / G Suite (Gmail, Calendar, Drive, Sites, etc.):

No additional user or customer action needed.

Google Chrome

Some user or customer action needed. More information here.

Google Chrome OS (e.g., Chromebooks):

Some additional user or customer action needed. More information here.

Google Cloud Platform

Google App Engine: No additional customer action needed.



Google Compute Engine: Some additional customer action needed. More information here.



Google Kubernetes Engine: Some additional customer action needed. More information here.



Google Cloud Dataflow: Some additional customer action needed. More information here.



Google Cloud Dataproc: Some additional customer action needed. More information here.



All other Google Cloud products and services: No additional action needed.

Google Home / Chromecast:

No additional user action needed.

Google Wifi/OnHub:

No additional user action needed.

Multiple methods of attack





To take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.





The Project Zero researchers discovered three methods (variants) of attack, which are effective under different conditions. All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.





In order to improve performance, many CPUs may choose to speculatively execute instructions based on assumptions that are considered likely to be true. During speculative execution, the processor is verifying these assumptions; if they are valid, then the execution continues. If they are invalid, then the execution is unwound, and the correct execution path can be started based on the actual conditions. It is possible for this speculative execution to have side effects which are not restored when the CPU state is unwound, and can lead to information disclosure.





There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks.



