AWS, Google and Microsoft respond to 'Meltdown' and 'Spectre' chip flaw

By on
AWS, Google and Microsoft respond to 'Meltdown' and 'Spectre' chip flaw

Cloud leaders Amazon Web Services, Google, and Microsoft have told partners and customers that they are working on updates and patches to their platforms and services to protect against the two significant chip-level security vulnerabilities – Meltdown and Spectre – that were revealed this week by researchers and academics. 

Meltdown is a hardware vulnerability affecting laptops, desktop computers and internet servers using Intel x86 microprocessors. The flaw is said to allow unauthorised access to user data, including passwords and cached files. 

Spectre, the less serious of the two security flaws, is a bug affecting smartphones, tablets, and computer chips from several vendors, including Intel, Advanced Micro Devices (AMD) and ARM. Spectre lets hackers manipulate applications into leaking sensitive information. Researchers that discovered the vulnerabilities on the chips said that between Meltdown and Spectre, nearly every modern computer and mobile device is impacted.

AWS, Google, and Microsoft communicated to partners and end users that they are aware of the security issues and have been working to prevent exploitation of their offerings. Solution providers can help protect their end customers by supporting a modern security patching infrastructure that includes regular firmware updates from device manufacturers and software providers.

Microsoft told CNBC on Wednesday that it has been working closely with chip manufacturers to develop and test mitigations to protect its customers. The company is also making sure that Azure users aren't being exposed to vulnerabilities.

"The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect," Microsoft said in its blog post about the chip flaws.

As a further precaution, Microsoft told customers that it decided to accelerate its planned maintenance and began automatically rebooting the remaining impacted VMs on Wednesday afternoon. However, the company said that the majority of Azure customers wouldn't see a noticeable performance impact with the latest update.

In addition to its cloud patching efforts, Microsoft also said that it is updating its Edge and Internet Explorer browsers.

Cloud giant AWS in a blog post called the vulnerability an issue that "has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices."

AWS assured partners and customers that all but a "small single-digit percentage" of instances across the Amazon EC2 fleet are already protected. At the time of the blog post on Wednesday, AWS said that the remaining unprotected instances would have been updated by Wednesday evening. The company added that in order to be fully protected against Meltdown and Spectre, customers must also patch their own instance operating systems.

Updates for Amazon Linux have also been made available to partners and end customers to update their instances.

Google, which Intel said was the first company to alert it to the vulnerability, said that it updated its public cloud service, Google Cloud, to prevent attacks related to Meltdown and Spectre.

"We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts," Ben Treynor Sloss, Google's engineering vice president wrote in a blog post. However, customers will need to update the operating systems they use on the Google cloud, the provider said.

Google also said that it is "actively working" with its technology partners to ensure that its other cloud-based offerings are updated and patched.

This article originally appeared at crn.com

Copyright © 2018 The Channel Company, LLC. All rights reserved.
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Do you agree that Australian partner revenue targets should be the same dollar value as US targets?
Yes
No
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?