Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws

  /     /     /  
Publicated : 22/11/2024   Category : security


Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws


Apple says all Mac and iOS systems are affected by new side-channel attack vulnerabilities.



[UPDATED 7:20pm ET with Apples statement]
Wondering what to do in the wake of the revelation of newly discovered critical design flaws in most modern microprocessors? Security experts say the best bet is to apply patches for the side-channel attack vulnerabilities, which were 
disclosed
 this week. 
The vulnerabilities impact a wide number of products from numerous vendors, though not always with the same level of severity. Also impacted are servers, and in many cases the underlying infrastructure hosting cloud services. Vendors and security analysts have urged all organizations and customers to apply patches, OS updates, and other workarounds as soon as they become available, regardless of the severity of impact.
Generally speaking, the patches to fix this move the balance back towards security, said Paul Ducklin, senior security advisor at Sophos.
The catch, however is that some of the fixes could reduce performance a bit, he said.  Sometimes, the price of security progress is a modicum of inconvenience. In this case, the updates might slow you down a tiny bit, but think of it as being for the greater good of all, he noted.
Heres a rundown of vendors that have released, or are working on, patches for the vulnerabilities, aka Meltdown and Spectre.
Intel
Intel has
acknowledged
the issue but said it doesnt believe the exploits have the potential to corrupt, modify, or delete data. The processor vendor claimed that many computing devices from other vendors are susceptible to the same so-called speculative execution side-channel attacks.
As of Jan 4, Intel has developed or is developing updates for all Intel-based PCs and servers to address problems caused by the Spectre and Meltdown exploits. The chipmaker
said
it hopes to have updates for 90% of its processor products introduced over the last five years, by the end of next week. The company has urged administrators and end users to check with their OS and hardware vendors and apply the updates as soon as they become available.
More details
here

Google
According to Google, the issue has already been mitigated in many of its affected products, or wasnt a vulnerability at all in the first place. Among its affected products are the following:
Android
Googles monthly
security update
for January 2018 contains fixes for the new exploits.  Specifically, the companys 
Android 2018-01-05 Security Patch Level
 includes mitigations that limit attacks on all Intel and known variants of ARM processors according to the company.
Google wants users of all Google-supported Android devices such as the Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL to accept and install the latest security update on their devices.
Chrome
Users and administrators of current stable versions of Chrome need to enable the browsers Site Isolation feature to protect against the threat. The feature isolates websites on different browser tabs into separate address spaces to minimize fallout from security incidents.
Information on Site Isolation and how to enable it are available
here
. Enterprises that want to set Site Isolation by policy on Chrome desktops can learn how to do that
here
.
More details
here

Microsoft
Microsoft has released several updates to address problems caused by the vulnerabilities. Customers and organizations that have enabled automatic Windows security updates will get the fixes with Microsofts January 2018 patch release. Microsoft said users who have not enabled automatic updates should manually install the fixes as soon as possible. According to the company, in order for customers to be fully protected against speculative execution side-channel attacks, they may also need to install hardware and firmware updates from device vendors and in some cases from their antivirus vendors as well. Affected products include multiple versions of Windows, Windows Server, Microsoft Edge, and Internet Explorer.
More details
here
.  
Amazon
Amazon said that all but a single-digit percentage of its underlying cloud infrastructure systems are already protected against the three vulnerabilities.
Updates for the remaining systems will be available soon along with associated guidance on how to implement them. Updates are available for Amazon Linux and those for EC2 Windows will be made available as Microsoft patches become available.
Amazons updates are designed to fix underlying infrastructure issues. In order to be fully protected against these issues, customers must also patch their instance operating systems, the vendor said.
More details
here

Apple
Apple was one of the last vendors to announce its patching plans. Late today, Apple said in a post that all Mac systems and iOS devices are affected by the vulnerabilities, but that it knows of no exploits impacting customers at this time.
The vendor said it released mitigations for Meltdown in iOS 11.2, MacOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not impacted by that vuln. As for Safari, Apple will issue an update with mitigations against Spectre in the coming days.
We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS, Apple said in its statement
here

Mozilla
As of Jan 4, Mozilla said it was working with security researchers to understand the full impact of the newly announced vulnerabilities and to find fixes for them. In the meantime, the browser maker has implemented a short-term mitigation by disabling or, in some cases reducing the precision of, certain timers in its Firefox browser. The browser maker said it was taking the measure since [the] new class of attacks involves measuring precise time intervals.
In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers, Mozilla said on its blog.
More details
here
.
AMD 
A January 3 CMU CERT
alert
identified AMDs products as being impacted by the newly discovered vulnerabilities. However, the chipmaker downplayed the severity of the threat and said its investigation showed little impact on AMD products. In an update, AMD said the Bounds check bypass vulnerability (CVE-2017-5753) and the Branch Target Injection Vulnerability (CVE-2017-5715) had only a negligible to near-zero performance impact on AMDs processors. Similarly, the Rogue Data Cache Load flaw (CVE-2017-5754) had zero-impact due to AMD architecture differences, the company has noted.
AMD has not released any security fixes as of Jan. 4, and has said that any impact on its processors should be resolved via third party OS and software updates.
More details
here

ARM
Most ARM processors are not impacted by the side-channel vulnerabilities, according to the mobile chip designed. It has released a complete list of the small subset of all ARM-designed processors that are susceptible. Among the 10 processors impacted by at least one of the three side-channel vulnerabilities are the Cortex R7 and R8, Cortex A8, A9 and A15 and Cortex A73 and A75.
ARM has listed various actions Linux users can take to mitigate the threat in each of the affected processors. It has instructed users running Android to contact Google.
More details
here

Red Hat
Red Hat has released a list of all affected versions of its Linux software and said it considers the newly announced vulnerabilities as having an Important security impact on its products. While Red Hats Linux Containers are not directly impacted by kernel issues, their security relies upon the integrity of the host kernel environment. Red Hat recommends that you use the most recent versions of your container images, it said.
The company said it is actively developing scripts to help users understand the impact of the vulnerabilities on their specific systems. It has released security patches for many versions of its Enterprise Linux and is working on updates for the remaining ones. It has urged users to apply the updates as soon as they become available because no other mitigations are available for the vulnerabilities.
More details
here
.  
SUSE
SUSE has released patches for most of its recent SUSE Linux Enterprise versions. Patches for the remaining versions will become available shortly, according to the company. SUSE has rated the three vulnerabilities as being of critical severity to its affected products and has set up a site that gives users continuous updates on patches as they become available.
More details
here

VMWare
VMWare has released updates for its VMware ESXi, Workstation, and Fusion technologies. The company has rated the threat presented by the three vulnerabilities as being of important severity. Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host, the company said.
More details
here

Related Content:
Critical Microprocessor Flaws Affect Nearly Every Machine
Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows
The Long Tail of the Intel AMT Flaw
 

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws