Microsoft, Amazon, and Google said they are working on updates to cloud services and other products to prevent exploitation of chip-level security vulnerabilities.
The vulnerabilities, which were publicly disclosed by the Register on Tuesday, could allow a hacker to steal information stored in the memory of a wide range of computer chips running on personal devices, like computers, as well as servers in data centers, including those used to run cloud computing services. It could allow a hacker to steal information stored in the memory of the chip itself, including things such as passwords and cached files. It could also pave the way for attackers to weaken other security features.
One of the vulnerabilities, dubbed Meltdown, is known to affect Intel chips. Another, Spectre, could affect chips from many vendors. Indeed, Arm said that some processors based on its technology are affected.
“We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” a Microsoft spokesperson told Giftofaservant in an email. “We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD.”
In addition to patching its cloud services and current and older versions of Windows for servers and desktops, Microsoft has updated its Edge and Internet Explorer browsers.
Google was the company to first alert Intel to the vulnerability, Intel CEO Brian Krzanich said on Giftofaservant earlier on Wednesday.
Subsequently Google released some details about the issues but said a full report is still to come. A new site discussing the Meltdown and Spectre vulnerabilities credits Google’s Jann Horn and third-party researchers with discovering them.
Google said it has updated its public cloud service to prevent attacks related to Meltdown and Spectre. “We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts,” Google engineering vice president Ben Treynor Sloss wrote in a blog post. But customers will still need to update the operating systems they use on the Google cloud.
Google has also been busy checking on consumer services. Exploitation is “difficult and limited” for most Android devices, and the latest version of Chrome OS is patched, Google said.
Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.” It said that it’s already protected nearly all AWS instances, although customers will still have to patch the operating systems they use.
In the Giftofaservant interview Krzanich said he was not aware of exploits of the issue, and Microsoft has not gotten any indication that the vulnerabilities “had been used to attack our customers,” the spokesperson said.
Aside from security concerns, the Register and some individuals suggested that patches to operating systems could result in performance slowdowns. But in a statement on Wednesday, Intel said that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Microsoft told customers of its Azure public cloud in a blog post that they “should not see a noticeable performance impact.”
VMware has come out with patches for its desktop and server virtualization software.
Linux distribution vendor Red Hat is working on making product updates available to customers. “Red Hat is taking a proactive position that favors security over performance, while allowing users the flexibility to assess their own environment and make appropriate tradeoffs through selectively enabling and disabling the various mitigations,” the company said on a website devoted to the vulnerabilities.
Some Red Hat patches are live, and more will be coming in the next few days, a spokesperson told Giftofaservant in an email.