Several major tech companies have started releasing patches and mitigations for the recently disclosed Meltdown and Spectre vulnerabilities affecting CPUs from Intel, AMD and ARM.
The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access data as it’s being processed. This can include passwords, photos, documents, emails, and data from instant messaging apps.
Billions of PCs, smartphones and cloud instances are affected, and while there is no evidence of attacks in the wild, researchers said exploitation attempts are unlikely to be detected.
Attacks can be prevented using kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating kernel from user memory. However, the mitigation can introduce performance penalties of up to 30 percent for affected processors.
Researchers had initially planned on disclosing the security holes on January 9, but disclosure was moved up due to media reports and speculation surrounding the topic. Affected tech companies have already started informing users about the risks and the availability of patches and mitigations.
Intel, AMD and ARM
Initial reports claimed only Intel CPUs were affected by the vulnerabilities. While Intel was hit the hardest, some of the flaws affect AMD and ARM as well.
Intel has informed customers that it’s working with manufacturers and operating system vendors to address the issues. The company also reassured customers that performance penalties will not affect regular computer users and will be mitigated over time.
AMD is apparently only affected by the Spectre vulnerabilities (CVE-2017-5753 and CVE-2017-5715), and the company claims the risk to its processors is “near zero” thanks to their architecture.
In the case of ARM, the company says only its Cortex-A75 processors are affected by all three vulnerabilities. Cortex R7, R8, A8, A9, A15, A17, A57, A72 and A73 processors are vulnerable to Meltdown attacks and affected by the CVE-2017-5715 Spectre flaw. Other existing products and future processors are not affected, the company said.
ARM has provided kernel patches for Linux users and advised customers using Android and other OSs to check for updates from their respective vendor.
Google has patched the vulnerabilities in its Cloud platform, but some users may need to manually perform some tasks.
“Google Compute Engine used VM Live Migration technology to perform host system and hypervisor updates with no user impact, no forced maintenance windows, and no mass reboots required. However, all guest operating systems and versions must be patched to protect against this new class of attack regardless of where those systems run,” Google said.
The company has informed Android users that while the risk of attacks is small, the latest Android security updates do provide additional protection against Spectre and Meltdown.
Microsoft started implementing protections in Windows a few months ago. The company informed customers on Wednesday that it released several updates to help mitigate the vulnerabilities in Windows client and server products. It has also released a tool designed to tell customers if protections are enabled.
Microsoft is also working to ensure that customers of its Azure cloud platform are not vulnerable to Meltdown and Spectre attacks.
“The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect,” the company said.
UPDATE. Apple has issued a statement confirming that mitigations have already been included in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown.
“In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS,” the company said.
Xen, Amazon Web Services (AWS), DigitalOcean, Rackspace
The Xen Project said systems running any version of the Xen hypervisor are affected. Due to the accelerated disclosure, the organization has not had time to create patches, and mitigations are available for only one of the security holes.
AWS, which uses Xen, told customers, “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications.”
Rackspace, which also uses Xen, is currently investigating the issue. DigitalOcean has also launched an investigation, but the company has blamed Intel’s embargo for not determining potential impact sooner.
Mozilla has conducted some internal experiments and found that it is possible to use techniques similar to Meltdown and Spectre from web content to read private date between different origins. The full extent of the issue has yet to be determined, but some partial mitigations have already been added to Firefox
Red Hat has classified the vulnerabilities as important and it has already developed kernel updates for affected versions of Red Hat Enterprise Linux.
“We are working with our customers and partners to make these updates available, along with the information our customers need to quickly secure their physical systems, virtual images, and container-based deployments,” said Chris Robinson, manager of Product Security Assurance at Red Hat.
nVIDIA said its GPU hardware does not appear to be impacted by Meltdown and Spectre, but some system-on-a-chip (SoC) products using ARM CPUs are vulnerable. The company is working on identifying affected products and preparing mitigations.
VMware told customers that its ESXi, Workstation and Fusion products are vulnerable to Spectre attacks. The company has started releasing patches.
Cisco is working on determining which of its products may be affected by the vulnerabilities.
“A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable,” Cisco said.
*Updated with information from VMware and Cisco