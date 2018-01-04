The job of the white-hat security researchers in Google’s Project Zero group is to break things. And they broke something very big when then discovered major vulnerabilities in modern processors. Between them, the bugs, known as Meltdown and Spectre , could affect virtually any computing device manufactured in the last 20 years.

These bugs represent a security threat the scope of which has scarcely been seen before. They have the ability to penetrate the layers of apps and other software that sit between a machine’s user interface and its processor to let an intruder access sensitive data such as keystrokes, passwords, and all manner of personal and financial data. It’s scary stuff.

When Google’s Project Zero researchers discovered the bugs, and proved that they could be used as attack vectors, they found themselves in possession of some potentially dangerous information. And they faced a tough decision: How should they get the exploit information into the hands of people who could use it for the greatest good—such as providers of processors, operating systems, and cloud platforms—while preventing it from inadvertently falling into the hands of criminal elements who might use it maliciously?

Google ultimately decided to show its proof-of-concept data to a small group of key constituents. The researchers notified Intel first, to give it a head start on protecting its processors. Intel developed new security patches and is distributing them to computer makers that use its chips.

In a statement on Thursday, Intel declared that it “has developed and is rapidly issuing updates for all types of Intel-based computer systems—including personal computers and servers—that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero.”

Amazon and Microsoft—and Google itself—have been using Project Zero’s research to create and issue patches for their cloud service servers, which are used by businesses small and large. The companies said in statements Wednesday they’re close to patching up all vulnerabilities.

Before giving these companies a heads-up, Google required them to sign non-disclosure agreements, preventing them from sharing data about the vulnerability—still undisclosed to the rest of us—with any third party. But there’s still a distinct danger that the proof of concept could be leaked to the public (and to hackers) before the service providers have a chance to completely patch up the vulnerabilities.