What you need to know about Meltdown and Spectre

Saturday, 06 Jan, 2018

The more pervasive flaw, dubbed Spectre, leaves the world's supply of microprocessors potentially vulnerable to attack, the researchers said.

The bugs, known as Spectre and Meltdown, were revealed today following a report from The Register. They have verified that the exploit, which breaks down the isolation between different applications, can affect products made by Intel, AMD and Arm.

Google's Project Zero security team became aware of the flaws late previous year and said it had been working to protect its services, including G Suite applications and Google Compute Platform (GCP).

Each browser maker is releasing updates that add new security features and, in some cases, turn off existing features that would make a Spectre attack easier. Our team is proud to be in the ranks of cloud giants like Google, Amazon, and Microsoft in demonstrating our capability to respond and defend those customers who make us successful. "We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts".

The company also said it will release an update on or about January 23 to Chrome's Javascript feature that will protect better against Spectre attacks, though browser performance may suffer.

A number of AV firms also say the believe their anti-virus is compatible with the patch but they have not yet updated the Windows registry on customer machines to allow the patch to be installed.

"AWS is aware of the issue described in CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754", a spokesperson told Silicon. These issues notably affect the Intel chips that power the overwhelming majority of cloud servers now running, but other processors - including some designed by AMD and Arm - seem to be affected.

AWS officials said in a statement that all but a small, single-digit percentage of instances across the Amazon EC2 fleet were already protected, and remaining ones would be completed within hours.

Amazon said on Wednesday that it had already protected its customers from almost all AWS instances from the vulnerabilities. "We will keep customers apprised of additional information".

The company said the "majority" of Azure infrastructure had already been updated and that all planned maintenance had been brought forward following the public disclosure. It did however say that most users wouldn't notice the change. Indeed, it would hardly be hyperbole to suggest it is unprecedented.