Tech industry responds to ‘Meltdown’ and ‘Spectre’ chip design flaws
WE’RE NOT EVEN a week into 2018 and already the New Year has thrown a massive spanner in the works for anyone hoping to have a year free of a large-scale security threat. It was reported just this week that all Intel chips produced over the last decade feature a design flaw that could put all Windows, Linux and macOS kernels at risk by essentially allowing commonly used programs to read or discern the contents and layout of a computer’s protected kernel memory areas. Given kernel memory is dedicated to the core components and interactions of an operating system with its hardware, it is said that the flaw could be exploited by malicious programmes, namely Meltdown or Spectre, to expose secured information such as passwords, and effectively compromise a targeted machine or indeed server network. But that’s not all. The flaw is not only a pain in the ass to patch (as major changes are required at the operating system level to patch it) but once fixed, the machines in question could see performance declines of up to 30 percent.
As you can probably imagine, the tech industry hasn’t remained closed-mouthed and has reacted to the news accordingly, with some of the industry’s biggest players from different sectors such as cloud providers and device manufacturers, already putting out statements. Some have even reported that they already knew about the bug, with a few admitting they have already patched it. It can, therefore, be hard to know who to believe, what is safe to use, and what isn’t.
With that, here’s our rundown of the tech industry’s response to the Meltdown/Spectre palaver thus far, who have said they have fixed the problem, and who is rumoured to announce the same any day now… Apple
Although the Cupertino firm hasn’t announced it officially yet, AppleInsider quoted “multiple sources within Apple” as saying that updates made in macOS 10.13.2 have mitigated “most” security concerns associated with the CPU vulnerability.
If this wasn’t enough proof that Apple devices are safe from the flaw, take a look at this tweet from software developer Alex Ionescu, who says his studies of macOS code show Apple introduced a fix for the CPU flaw in the release of macOS 10.13.2, and there are additional tweaks set to be introduced in macOS 10.13.3, which is currently in beta testing.
Google
The search engine giant was super quick to respond, issuing a blog post the same night the news went viral. In a blog post, the firm said its Project Zero security team had already fixed the bug after it discovered the CPU vulnerability last year.
The firm’s Cloud VP, Ben Treynor Sloss, said the company’s engineering teams have been working to protect customers from the flaw “across the entire suite of Google products” since last year, including Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products.
“We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web,” Sloss explained.
“All G Suite applications have already been updated to prevent all known attack vectors. G Suite customers and users do not need to take any action to be protected from the vulnerability.” Microsoft
We haven’t heard much from Microsoft yet about the flaw, but it’s expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday this month, after seeding them to beta testers running fast-ring Windows Insider builds in November and December.
Amazon
Amazon Web Services (AWS) also said it was made aware of the research around the bug last year, referring to it as a “side-channel analysis of speculative execution on modern computer processors [namely] CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754”.
Stating that the bug had has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices, AWS claimed that “all but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected”.
The firm also reassured users that the remaining instances will be completed in “the next several hours”, with associated instance maintenance notifications.
Kaspersky
So what does one of the biggest security vendors have to say? As you can imagine, the usual doom and gloom ensues, but the company also gave some advice to those concerned about the possible negative outcomes associated with the vulnerabilities.
“Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre. “Intel has a tool you can use to check if your system is vulnerable to the bugs,” Kaspersky Lab’s GReAT Senior Security Researcher, Ido Naor, advised. “It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection.” µ
