Software and hardware vendors have issued advisories and fixes for “Spectre” (speculative execution side-channel attack) and “Meltdown” vulnerabilities, related to recently disclosed CPU processor design flaws.
Here are a few of the most notable vendor security updates from the past several days.
Apple security updates
Apple released a new announcement outlining the Spectre and Meltdown threats that affect all modern processors (Intel and ARM-based) and nearly all computing devices and operating systems. The company said all Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.
Apple announced that latest versions of iOS 11.2, macOS 10.13.2, and tvOS 11.2 already provide mitigations to help defend against the Meltdown vulnerability. Apple will release an update for Safari on macOS and iOS in the next few days to mitigate Spectre vulnerability and related exploit techniques.
Microsoft emergency updates
Microsoft issued an emergency update and “one stop shop” for mitigating the Meltdown and Spectre vulnerabilities on the Windows platform. The guidance includes:
- Ensure your anti-virus is compatible before patching (see Google docs link shared by Kevin Beaumont).
- Install appropriate Windows patches.
- Install firmware updates: “Installing OS patch only is not enough to fix this vulnerability and Firmware update is mandatory.”
- See Security Advisory for more information on the flaws and impact on Windows products.
Android Security Bulletin—January 2018
Google said the latest Android Security Bulletin includes Android device fixes for the publicly disclosed set of vulnerabilities. The Android update includes a fix to help reduce access to high-precision timers and in turn limit side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known ARM processor variants.
Mozilla released on Thursday a security update for Firefox 57.0.4 to address Spectre. According to the advisory, the update will disable or reduce the precision of several time sources in Firefox, given the new class of attacks involves measuring precise time intervals: “The precision of performance.now() has been reduced from 5μs to 20μs, and the SharedArrayBuffer feature has been disabled because it can be used to construct a high-resolution timer.” This will be a partial, short-term mitigation.
AMD processor security update
AMD issued an update on how the speculative execution vulnerabilities impact AMD products. The AMD team outlined three main variants outlined in Google Project Zero (GPZ) Research and AMD’s response to each:
- Variant one – Bounds Check Bypass (AMD response: Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected).
- Variant two – Branch Target Injection (AMD response: Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date).
- Variant three – Rogue Data Cache Load (AMD response: Zero AMD vulnerability due to AMD architecture differences).
Intel security updates
Finally, Intel said they and their partners have made significant progress in deploying updates via software patches and firmware updates in a statement:
“Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.”
Intel also said the average user should not see a “significant performance impact” and will be mitigated over time. After conducting extensive testing to assess any impact to system performance from the recently released security updates, Intel also released more information on Thursday. Based on real-world deployment findings, responses from Apple, Amazon, Google and Microsoft said that no meaningful performance impact has been observed for most workloads.