Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/4/2018
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws

Apple says all Mac and iOS systems are affected by new side-channel attack vulnerabilities.

[UPDATED 7:20pm ET with Apple's statement]

Wondering what to do in the wake of the revelation of newly discovered critical design flaws in most modern microprocessors? Security experts say the best bet is to apply patches for the side-channel attack vulnerabilities, which were disclosed this week. 

The vulnerabilities impact a wide number of products from numerous vendors, though not always with the same level of severity. Also impacted are servers, and in many cases the underlying infrastructure hosting cloud services. Vendors and security analysts have urged all organizations and customers to apply patches, OS updates, and other workarounds as soon as they become available, regardless of the severity of impact.

"Generally speaking, the patches to fix this move the balance back towards security," said Paul Ducklin, senior security advisor at Sophos.

The catch, however is that some of the fixes could reduce performance a bit, he said.  "Sometimes, the price of security progress is a modicum of inconvenience. In this case, the updates might slow you down a tiny bit, but think of it as being for the greater good of all," he noted.

Here's a rundown of vendors that have released, or are working on, patches for the vulnerabilities, aka Meltdown and Spectre.

Intel

Intel has acknowledged the issue but said it doesn't believe the exploits have the potential to corrupt, modify, or delete data. The processor vendor claimed that many computing devices from other vendors are susceptible to the same so-called speculative execution side-channel attacks.

As of Jan 4, Intel has developed or is developing updates for all Intel-based PCs and servers to address problems caused by the Spectre and Meltdown exploits. The chipmaker said it hopes to have updates for 90% of its processor products introduced over the last five years, by the end of next week. The company has urged administrators and end users to check with their OS and hardware vendors and apply the updates as soon as they become available.

More details here

Google

According to Google, the issue has already been mitigated in many of its affected products, or wasn't a vulnerability at all in the first place. Among its affected products are the following:

Android

Google's monthly security update for January 2018 contains fixes for the new exploits.  Specifically, the company's Android 2018-01-05 Security Patch Level includes mitigations that limit attacks on all Intel and known variants of ARM processors according to the company.

Google wants users of all Google-supported Android devices such as the Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL to accept and install the latest security update on their devices.

Chrome

Users and administrators of current stable versions of Chrome need to enable the browser's Site Isolation feature to protect against the threat. The feature isolates websites on different browser tabs into separate address spaces to minimize fallout from security incidents.

Information on Site Isolation and how to enable it are available here. Enterprises that want to set Site Isolation by policy on Chrome desktops can learn how to do that here.

More details here

Microsoft

Microsoft has released several updates to address problems caused by the vulnerabilities. Customers and organizations that have enabled automatic Windows security updates will get the fixes with Microsoft's January 2018 patch release. Microsoft said users who have not enabled automatic updates should manually install the fixes as soon as possible. According to the company, in order for customers to be fully protected against speculative execution side-channel attacks, they may also need to install hardware and firmware updates from device vendors and in some cases from their antivirus vendors as well. Affected products include multiple versions of Windows, Windows Server, Microsoft Edge, and Internet Explorer.

More details here.  

Amazon

Amazon said that all but a single-digit percentage of its underlying cloud infrastructure systems are already protected against the three vulnerabilities.

Updates for the remaining systems will be available soon along with associated guidance on how to implement them. Updates are available for Amazon Linux and those for EC2 Windows will be made available as Microsoft patches become available.

Amazon's updates are designed to fix underlying infrastructure issues. "In order to be fully protected against these issues, customers must also patch their instance operating systems," the vendor said.

More details here

Apple

Apple was one of the last vendors to announce its patching plans. Late today, Apple said in a post that all Mac systems and iOS devices are affected by the vulnerabilities, but that it knows of no exploits "impacting customers at this time."

The vendor said it released mitigations for Meltdown in iOS 11.2, MacOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not impacted by that vuln. As for Safari, Apple will issue an update with mitigations against Spectre in "the coming days."

"We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS," Apple said in its statement here

Mozilla

As of Jan 4, Mozilla said it was working with security researchers to understand the full impact of the newly announced vulnerabilities and to find fixes for them. In the meantime, the browser maker has implemented a short-term mitigation by disabling or, in some cases reducing the precision of, certain timers in its Firefox browser. The browser maker said it was taking the measure "since [the] new class of attacks involves measuring precise time intervals."

"In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers," Mozilla said on its blog.

More details here.

AMD 

A January 3 CMU CERT alert identified AMD's products as being impacted by the newly discovered vulnerabilities. However, the chipmaker downplayed the severity of the threat and said its investigation showed little impact on AMD products. In an update, AMD said the Bounds check bypass vulnerability (CVE-2017-5753) and the Branch Target Injection Vulnerability (CVE-2017-5715) had only a negligible to near-zero performance impact on AMD's processors. Similarly, the Rogue Data Cache Load flaw (CVE-2017-5754) had zero-impact due to "AMD architecture differences," the company has noted.

AMD has not released any security fixes as of Jan. 4, and has said that any impact on its processors should be resolved via third party OS and software updates.

More details here

ARM

Most ARM processors are not impacted by the side-channel vulnerabilities, according to the mobile chip designed. It has released a complete list of "the small subset" of all ARM-designed processors that are susceptible. Among the 10 processors impacted by at least one of the three side-channel vulnerabilities are the Cortex R7 and R8, Cortex A8, A9 and A15 and Cortex A73 and A75.

ARM has listed various actions Linux users can take to mitigate the threat in each of the affected processors. It has instructed users running Android to contact Google.

More details here

Red Hat

Red Hat has released a list of all affected versions of its Linux software and said it considers the newly announced vulnerabilities as having an "Important" security impact on its products. "While Red Hat's Linux Containers are not directly impacted by kernel issues, their security relies upon the integrity of the host kernel environment. Red Hat recommends that you use the most recent versions of your container images," it said.

The company said it is actively developing scripts to help users understand the impact of the vulnerabilities on their specific systems. It has released security patches for many versions of its Enterprise Linux and is working on updates for the remaining ones. It has urged users to apply the updates as soon as they become available because no other mitigations are available for the vulnerabilities.

More details here.  

SUSE

SUSE has released patches for most of its recent SUSE Linux Enterprise versions. Patches for the remaining versions will become available shortly, according to the company. SUSE has rated the three vulnerabilities as being of "critical" severity to its affected products and has set up a site that gives users continuous updates on patches as they become available.

More details here

VMWare

VMWare has released updates for its VMware ESXi, Workstation, and Fusion technologies. The company has rated the threat presented by the three vulnerabilities as being of "important" severity. "Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host," the company said.

More details here

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.