January 4th, 2018
Last year, Google’s Project Zero security team discovered a vulnerability affecting modern microprocessors. Since then, Google engineering teams have been working to protect our customers from the vulnerability across the entire suite of Google products, including Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.
All G Suite applications have already been updated to prevent all known attack vectors. G Suite customers and users do not need to take any action to be protected from the vulnerability.
GCP has already been updated to prevent all known vulnerabilities. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers. We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts.
Customers who use their own operating systems with GCP services may need to apply additional updates to their images; please refer to the GCP section of the Google Security blog post concerning this vulnerability for additional details. As more updates become available, they will be tracked on the the Compute Engine Security Bulletins page.
Finally, customers using Chrome browser—including for G Suite or GCP—can take advantage of Site Isolation as an additional hardening feature across desktop platforms, including Chrome OS. Customers can turn on Site Isolation for a specific set of websites, or all websites.
The Google Security blog includes more detailed information about this vulnerability and mitigations across all Google products.