Are all the big vendors playing down concerns over the impact of the Spectre and Meltdown vulnerabilities affecting computers systems, corporate servers and even mobile devices?
Who is impacted: computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows
Meltdown only affects Intel processors. According to reports all Intel processors released since 1995 are impacted by Meltdown
Spectre affects chips from Intel, AMD, ARM and others microprocessors
The two flaws, Spectre and Meltdown, are far-reaching and impact a wide range of microprocessors used in the past decade in computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows. While Meltdown only affects Intel processors, Spectre affects chips from Intel, AMD, ARM and others.
Currently known vectors for exploiting the flaws are identified as “bounds check bypass” (CVE-2017-5753/Spectre), “branch target injection” (CVE-2017-5715/Spectre) and “rogue data cache load” (CVE-2017-5754/Meltdown), according to researchers at Google Project Zero.
Here is how companies are responding to revelations of the flaws, also referred to as “speculative execution side-channel attack” vulnerabilities.
As for Intel, all Intel processors released since 1995 are impacted by Meltdown, according to researchers. The company said Wednesday that OEMs will release relevant Intel firmware updates to address the issue. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said in a statement.
Microsoft said it was offering an out-of-band update for Windows, ahead of next week’s Patch Tuesday security update. “Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services,” the company said in a statement to its Security TechCenter.
Linux security patches, protecting against Spectre and Meltdown exploits, were pushed out last week. Thomas Gleixner, a Linux kernel developer, posted last month to the Linux Kernel Mailing List information about isolation patches called KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed).
Mobile chip designer ARM said most processors designed by the company are not affected by Spectre. Those chips that are included: Cortex-A75, Cortex-A73, Cortex-A72, Cortex-A57-, Cortex-A17, and Cortex-A9.
Google addressed the issue on Wednesday stating: “We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.”
Google said Android devices with the latest security update, released on Jan. 3, are protected. Google Chrome OS versions prior to 63 are not patched. Google added, “Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.” Google said its Google Cloud Infrastructure and Google App Engine require “no additional user or customer action.” Google Compute Engine customers have been informed the infrastructure is patched, but “customers much patch/update guest environment(s),” according to Google.
Amazon released a statement regarding the impact of Meltdown and Spectre stating: “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”