Attacks/Breaches

1/4/2018
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vendors Rush to Issue Security Updates for Meltdown, Spectre Flaws

Apple says all Mac and iOS systems are affected by new side-channel attack vulnerabilities.

[UPDATED 7:20pm ET with Apple's statement]

Wondering what to do in the wake of the revelation of newly discovered critical design flaws in most modern microprocessors? Security experts say the best bet is to apply patches for the side-channel attack vulnerabilities, which were disclosed this week. 

The vulnerabilities impact a wide number of products from numerous vendors, though not always with the same level of severity. Also impacted are servers, and in many cases the underlying infrastructure hosting cloud services. Vendors and security analysts have urged all organizations and customers to apply patches, OS updates, and other workarounds as soon as they become available, regardless of the severity of impact.

"Generally speaking, the patches to fix this move the balance back towards security," said Paul Ducklin, senior security advisor at Sophos.

The catch, however is that some of the fixes could reduce performance a bit, he said.  "Sometimes, the price of security progress is a modicum of inconvenience. In this case, the updates might slow you down a tiny bit, but think of it as being for the greater good of all," he noted.

Here's a rundown of vendors that have released, or are working on, patches for the vulnerabilities, aka Meltdown and Spectre.

Intel

Intel has acknowledged the issue but said it doesn't believe the exploits have the potential to corrupt, modify, or delete data. The processor vendor claimed that many computing devices from other vendors are susceptible to the same so-called speculative execution side-channel attacks.

As of Jan 4, Intel has developed or is developing updates for all Intel-based PCs and servers to address problems caused by the Spectre and Meltdown exploits. The chipmaker said it hopes to have updates for 90% of its processor products introduced over the last five years, by the end of next week. The company has urged administrators and end users to check with their OS and hardware vendors and apply the updates as soon as they become available.

More details here

Google

According to Google, the issue has already been mitigated in many of its affected products, or wasn't a vulnerability at all in the first place. Among its affected products are the following:

Android

Google's monthly security update for January 2018 contains fixes for the new exploits.  Specifically, the company's Android 2018-01-05 Security Patch Level includes mitigations that limit attacks on all Intel and known variants of ARM processors according to the company.

Google wants users of all Google-supported Android devices such as the Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL to accept and install the latest security update on their devices.

Chrome

Users and administrators of current stable versions of Chrome need to enable the browser's Site Isolation feature to protect against the threat. The feature isolates websites on different browser tabs into separate address spaces to minimize fallout from security incidents.

Information on Site Isolation and how to enable it are available here. Enterprises that want to set Site Isolation by policy on Chrome desktops can learn how to do that here.

More details here

Microsoft

Microsoft has released several updates to address problems caused by the vulnerabilities. Customers and organizations that have enabled automatic Windows security updates will get the fixes with Microsoft's January 2018 patch release. Microsoft said users who have not enabled automatic updates should manually install the fixes as soon as possible. According to the company, in order for customers to be fully protected against speculative execution side-channel attacks, they may also need to install hardware and firmware updates from device vendors and in some cases from their antivirus vendors as well. Affected products include multiple versions of Windows, Windows Server, Microsoft Edge, and Internet Explorer.

More details here.  

Amazon

Amazon said that all but a single-digit percentage of its underlying cloud infrastructure systems are already protected against the three vulnerabilities.

Updates for the remaining systems will be available soon along with associated guidance on how to implement them. Updates are available for Amazon Linux and those for EC2 Windows will be made available as Microsoft patches become available.

Amazon's updates are designed to fix underlying infrastructure issues. "In order to be fully protected against these issues, customers must also patch their instance operating systems," the vendor said.

More details here

Apple

Apple was one of the last vendors to announce its patching plans. Late today, Apple said in a post that all Mac systems and iOS devices are affected by the vulnerabilities, but that it knows of no exploits "impacting customers at this time."

The vendor said it released mitigations for Meltdown in iOS 11.2, MacOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not impacted by that vuln. As for Safari, Apple will issue an update with mitigations against Spectre in "the coming days."

"We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS," Apple said in its statement here

Mozilla

As of Jan 4, Mozilla said it was working with security researchers to understand the full impact of the newly announced vulnerabilities and to find fixes for them. In the meantime, the browser maker has implemented a short-term mitigation by disabling or, in some cases reducing the precision of, certain timers in its Firefox browser. The browser maker said it was taking the measure "since [the] new class of attacks involves measuring precise time intervals."

"In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers," Mozilla said on its blog.

More details here.

AMD 

A January 3 CMU CERT alert identified AMD's products as being impacted by the newly discovered vulnerabilities. However, the chipmaker downplayed the severity of the threat and said its investigation showed little impact on AMD products. In an update, AMD said the Bounds check bypass vulnerability (CVE-2017-5753) and the Branch Target Injection Vulnerability (CVE-2017-5715) had only a negligible to near-zero performance impact on AMD's processors. Similarly, the Rogue Data Cache Load flaw (CVE-2017-5754) had zero-impact due to "AMD architecture differences," the company has noted.

AMD has not released any security fixes as of Jan. 4, and has said that any impact on its processors should be resolved via third party OS and software updates.

More details here

ARM

Most ARM processors are not impacted by the side-channel vulnerabilities, according to the mobile chip designed. It has released a complete list of "the small subset" of all ARM-designed processors that are susceptible. Among the 10 processors impacted by at least one of the three side-channel vulnerabilities are the Cortex R7 and R8, Cortex A8, A9 and A15 and Cortex A73 and A75.

ARM has listed various actions Linux users can take to mitigate the threat in each of the affected processors. It has instructed users running Android to contact Google.

More details here

Red Hat

Red Hat has released a list of all affected versions of its Linux software and said it considers the newly announced vulnerabilities as having an "Important" security impact on its products. "While Red Hat's Linux Containers are not directly impacted by kernel issues, their security relies upon the integrity of the host kernel environment. Red Hat recommends that you use the most recent versions of your container images," it said.

The company said it is actively developing scripts to help users understand the impact of the vulnerabilities on their specific systems. It has released security patches for many versions of its Enterprise Linux and is working on updates for the remaining ones. It has urged users to apply the updates as soon as they become available because no other mitigations are available for the vulnerabilities.

More details here.  

SUSE

SUSE has released patches for most of its recent SUSE Linux Enterprise versions. Patches for the remaining versions will become available shortly, according to the company. SUSE has rated the three vulnerabilities as being of "critical" severity to its affected products and has set up a site that gives users continuous updates on patches as they become available.

More details here

VMWare

VMWare has released updates for its VMware ESXi, Workstation, and Fusion technologies. The company has rated the threat presented by the three vulnerabilities as being of "important" severity. "Result of exploitation may allow for information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host," the company said.

More details here

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
2018 on Track to Be One of the Worst Ever for Data Breaches
Jai Vijayan, Freelance writer,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1643
PUBLISHED: 2018-11-15
The Installation Verification Tool of IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure...
CVE-2018-0693
PUBLISHED: 2018-11-15
Directory traversal vulnerability in FileZen V3.0.0 to V4.2.1 allows remote attackers to upload an arbtrary file in the specific directory in FileZen via unspecified vectors.
CVE-2018-0694
PUBLISHED: 2018-11-15
FileZen V3.0.0 to V4.2.1 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2018-0695
PUBLISHED: 2018-11-15
Cross-site scripting vulnerability in User-friendly SVN (USVN) Version 1.0.7 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-0697
PUBLISHED: 2018-11-15
Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.