Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Just in time for Friday night

Qualcomm has confirmed its processors have the same security vulnerabilities disclosed this week in Intel, Arm and AMD CPU cores this week.

The California tech giant picked the favored Friday US West Coast afternoon "news dump" slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors are subject to the Meltdown and/or Spectre data-theft bugs.

"Qualcomm Technologies, Inc is aware of the security research on industry-wide processor vulnerabilities that have been reported," a spokesperson for Qualcomm told The Register.

"Providing technologies that support robust security and privacy is a priority for Qualcomm, and as such, we have been working with Arm and others to assess impact and develop mitigations for our customers."

She continued:

We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available.

Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm's CPUs are affected, while the Meltdown paper doesn't conclude either way.

Qualcomm uses a mix of customized off-the-shelf Arm cores and its homegrown Arm-compatible CPUs in its products, which drive tons of Android-based smartphones, tablets, and other devices. A selection of Arm Cortex-A and Cortex-R CPU core designs are vulnerable to the CVE-2017-5753 and CVE-2017-5715 Spectre vulnerabilities, but only one – the Cortex-A75 – is also vulnerable to the easily exploitable CVE-2017-5754 Meltdown flaw. The A75 is not in any shipping product at the moment.

Qualcomm will use that A75 core for its Snapdragon 845, while other Snapdragon lines list the A53 and A72, which are only vulnerable to the two Spectre variants. As we said, Qualcomm uses a mix of custom and off-the-shelf cores; they are probably affected by Spectre, and maybe Meltdown. Qualy won't clarify either way.

Look out for operating system updates – particularly Android and Linux – to install on your Qualcomm-powered devices and machines.

Apple, which too bases its iOS A-series processors on Arm's instruction set, said earlier this week that its mobile CPUs were vulnerable to Spectre and Meltdown – patches are available or incoming for iOS. The iGiant's Intel-based Macs also need the latest macOS, version 10.13.2 or greater, to kill off Meltdown attacks.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
"Qualcomm will use that A75 core for its Snapdragon 845, while other Snapdragon lines list the A53 and A72, which are only vulnerable to the two Spectre variants."

...but on the ARM site the a53 is not listed.....Arm Processor Security Update – Arm Developer :unsure:

It amazes me how even after 7 (SEVEN) months all is still so unclear, messy, how all companies are still so unprepared, unclear.:mad:
Are their products vulnerable or not? What does (will) the update do? Will the update fix (100%), partially patch, mitigate, limit the bug? Which one? What do they mean with "limit, mitigate"- how much do they "limit, mitigate"?

Intel- it's not a bug nor a flaw (if they say so...) - Next week they will release a firmware update that will render 90 % of the chips produced in the lat 5 years "immune" for both exploits. Who will get it? Users or MB manufacturer? The update will fix it 100%?... with or without MSFT patch?
When will the other 10 % get an update?
Why don't they provide an update for older chips too????? It's not because it's too complicated or time consuming, right?

AMD- is not vulnerable at all- then for Spectre 2 there is a near 0 risk of exploitation and vulnerability has not been demonstrated - OS update will fix it (Spectre 1) - (was it fixed by last MSFT update?)


ARM- if vulnerable, did google 05-01-18 update fix it, mitigate or limit it?

Qualcomm- see above - we need to wait


To summarize

CVE-2017-5757: known as variant 1, a bounds check bypass - Spectre variant 1
CVE-2017-5757: known as variant 2, branch target injection - Spectre variant 2
CVE-2017-5757: known as variant 3, rogue data cache load - Meltdown
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top