The identification of the "Meltdown" and "Spectre" vulnerabilities in Intel- and ARM-based processors — including chips used in Apple's Macs, iPhones, and iPads — can be credited almost entirely to a Google security researcher in his early 20s, Jann Horn.
Originally from Germany, Horn now works in Zurich, Switzerland with Project Zero, Google's zero-day team, Bloomberg noted on Wednesday. He's said to have discovered the issues while working alone, beginning in April, when he was reading Intel processor manuals to make sure chips could handle code he'd written.
It's in reading about speculative execution that Horn realized that sensitive data was being kept in memory and could potentially be accessed by clever hacking. After talking to a fellow Google researcher, he arrived at the idea of tricking a processor into unusual speculative executions that could be used to fetch specific data.
Horn eventually told Intel, ARM, and AMD about the situation on June 1. By the time Meltdown and Spectre were announced to the public this January, Horn was given lead credit.
Accounts differ on the amount of contact between Horn and Intel. At a conference in Zurich on Jan. 11, Horn said that after his initial data sharing, there was no discussion until Intel called him in early December to confirm other researchers had found the same issues. A Google spokesman, Aaron Stein, insists however that there was much more chatter.
"Jann and Project Zero were in touch with Intel regularly after Jann reported the issue," Stein told Bloomberg.
Apple has already released several related security fixes, with more in the works. It's nevertheless facing multiple lawsuits, as are companies like ARM and Intel.
17 Comments
I admittedly haven’t read extensively on the Meltdown/Spectre flaws, but the fact that it’s present in multiple processor from different manufacturers and of different types tells me this is a flaw with the underlying chip design architecture that has been used for many years now without anyone discovering the hole. Kudos to Mr. Horn for discovering the flaw, but reading this and the articles about all the class action lawsuits, I can’t understand how Intel, Apple or any other manufacturer should be held liable for something that no one knew about until 6 months ago at best. Or am I just making the mistake of applying common sense to the law?