Intel, Amazon, Microsoft and others are playing down concerns over the impact of the massive Spectre and Meltdown vulnerabilities affecting computers, servers and mobile devices worldwide.
The two flaws, Spectre and Meltdown, are far reaching and impact a wide range of microprocessors used in the past decade in computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows. While Meltdown only affects Intel processors, Spectre affects chips from Intel, AMD, ARM and others.
Currently known vectors for exploiting the flaws are identified as “bounds check bypass” (CVE-2017-5753/Spectre), “branch target injection” (CVE-2017-5715/Spectre) and “rogue data cache load” (CVE-2017-5754/Meltdown), according to researchers at Google Project Zero.
Here is how companies are responding to revelations of the flaws, also referred to as “speculative execution side-channel attack” vulnerabilities.
As for Intel, all Intel processors released since 1995 are impacted by Meltdown, according to researchers. The company said Wednesday that OEMs will release relevant Intel firmware updates to address the issue. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said in a statement.
Microsoft said it was offering an out-of-band update for Windows, ahead of next week’s Patch Tuesday security update. “Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services,” the company said in a statement to its Security TechCenter.
Linux security patches, protecting against Spectre and Meltdown exploits, were pushed out last week. Thomas Gleixner, a Linux kernel developer, posted last month to the Linux Kernel Mailing List information about isolation patches called KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).
Mobile chip designer ARM said most processors designed by the company are not affected by Spectre. Those chips that are include: Cortex-A75, Cortex-A73, Cortex-A72, Cortex-A57-, Cortex-A17, and Cortex-A9.
Google addressed the issue on Wednesday stating: “We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.”
Google said Android devices with the latest security update, released on Jan. 3, are protected. Google Chrome OS versions prior to 63 are not patched. Google added, “Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.” Google said its Google Cloud Infrastructure and Google App Engine require “no additional user or customer action.” Google Compute Engine customers have been informed the infrastructure is patched, but “customers much patch/update guest environment(s),” according to Google.
Amazon released a statement regarding the impact of Meltdown and Spectre stating: “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”
“While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin,” Amazon said.
> Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER). First screenshot shows how NtCreateFile is not mapped in the kernel region of the user CR3. Second screenshot shows how a 'shadow' kernel trap handler, is (has to be). pic.twitter.com/7PriLIJHe1 > > — Alex Ionescu (@aionescu) November 14, 2017
Apple has not released a statement relating to the Spectre and Meltdown. However, it’s understood that the recent macOS 10.13.2 update, released on Dec. 6, partially addressed the flaw. Alex Ionescu, vice president of endpoint detection and response strategy at Crowdstrike, appears to confirm this in a tweet:
“The question on everyone’s minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the “Double Map” since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can’t talk/show you).”
AMD said the impact of the three known vectors for exploiting Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715) and CVE-2017-5754) are minimal. It said issues tied to CVE-2017-5753 will be addressed via OS updates made by system vendors and are expected to have “negligible performance impact” on system performance. However, the “branch target injection” vector (CVE-2017-5715) could impact a small number of customers. “Differences in AMD architecture mean there is a near zero risk of exploitation of this variant,” AMD said.
On the Mozilla Security Blog, Luke Wagner, a Mozilla software engineer, said the Firefox browser is impacted by Meltdown and Spectre.
“Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes,” Wagner wrote.
Wagner added Mozilla has implemented a short-term fix in all Firefox releases starting with 57. “Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox,” he said.
Google’s security research team Google Project Zero discovered the Meltdown flaw last June. Jann Horn, a security analyst at a Google, is credited for discovering the flaw. Also credited for discovering the vulnerability is Werner Haas and Thomas Prescher, at Cyberus Technology; and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz at the Graz University of Technology.
On Wednesday, the United States Computer Emergency Readiness Team issued one of the harshest recommendations for fixing the issue. Under the heading “Solutions”, US-CERT states “replace CPU hardware.”
“The underlying vulnerability is primarily caused by CPU implementation optimization choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” US-CERT states.