Intel, Amazon, ARM, Microsoft and others are playing down concerns over disclosure of the massive Spectre and Meltdown vulnerabilities impacting computers, servers and mobile devices worldwide.
The two flaws, Spectre and Meltdown, are far reaching and impact microprocessors used in the past decade in nearly all computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows. While Meltdown affect only Intel processors, Spectre affects chips from Intel, AMD, ARM and others.
Here is how vendors are responding to Spectre and Meltdown, also referred to as “speculative execution side-channel attacks.”
As for Intel, affected by Meltdown are all Intel processors released since 1995. The company said Wednesday that OEMs will release relevant Intel firmware updates to address the issue. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said in a statement.
Microsoft said it was offering an out-of-band update for Windows Wednesday. “Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services,” the company said in a statement to its Security TechCenter.
“Speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and can therefore lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment,” Microsoft said.
Security patches protecting against Spectre and Meltdown exploits in the Linux kernel were pushed last week. Thomas Gleixner, a Linux kernel developer, posted last month to the Linux Kernel Mailing List information about isolation patches called KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).
Mobile chip designer ARM said most processors designed by the company are not affected by Spectre. Those chips that are include: Cortex-A75, Cortex-A73, Cortex-A72, Cortex-A57-, Cortex-A17, and Cortex-A9.
Google addressed the issue in a “We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation,” wrote Matt Linton, senior security engineer and Pat Parseghian, technical program manager, both with Google.
Google said Android devices with the latest security update, released on Jan. 3, are protected. Google Chrome OS versions prior to 63 are not patched. Google added, “Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.” And Google Cloud Infrastructure and Google App Engine require “no additional user or customer action.” Google Compute Engine customers have been informed the infrastructure is patched, but “customers much patch/update guest environment(s).”
Amazon released a statement regarding the impact of Meltdown and Spectre stating “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”
“While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin,” Amazon said.
Apple has not released a statement relating to the Spectre and Meltdown. However, it’s understood that the recent macOS 10.13.2 update, released on Dec. 6, partially addressed the flaw. Alex Ionescu, vice president of endpoint detection and response strategy at Crowdstrike, tweeted:
“The question on everyone’s minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the “Double Map” since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can’t talk/show you).”
AMD said the impact of the three known vectors for exploiting Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715) and CVE-2017-5754) are “near zero.” It said issues tied to CVE-2017-5753 will be addressed via OS updates made by system vendors and are expected to have “negligible performance impact” on system performance. AMD did say that the “branch target injection” vector (
“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes,” Wagner wrote.
Wagner added Mozilla has implemented a short-term fix in all Firefox releases starting with 57, he said. “Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox,” he said.
Google’s security research team Google Project Zero discovered the Meltdown flaw last June. Jann Horn, a security analyst at a Google, is credited for discovering the flaw. Also credited for researching the vulnerability and alerting Intel of the flaw are Werner Haas and Thomas Prescher, at Cyberus Technology; and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz at the Graz University of Technology.
On Wednesday, the United States Computer Emergency Readiness Team issued one of the harshest recommendations for fixing the issue. Under solutions, US-CERT states “replace CPU hardware.”
“The underlying vulnerability is primarily caused by CPU implementation optimization choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” US-CERT states.