Updates on the Meltdown and Spectre Processor Vulnerabilities
SPR is aware of a new class of security vulnerabilities referred to as “Speculative execution side-channel attacks,” also known as Meltdown and Spectre, that were publicly disclosed by Cyber security researchers this week. Given the gravity of these flaws, many concerns have been rightly raised. See what their impact is as well as Microsoft Cloud’s response and how they are dealing with it. We will also cover how you can mitigate and prevent the issues for on-premises environments.
These security flaws exploit critical vulnerabilities in modern processors whether Intel, Apple, AMD, or ARM chips. They allow programs to steal data while it’s being processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the CPU’s memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Overview of Spectre Vulnerability
Spectre breaks the most fundamental isolation between user processes and the operating system. If your computer has a vulnerable processor (Intel, Apple, ARM, AMD) and runs an unpatched operating system / firmware, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.
Overview of the Meltdown Vulnerability
Meltdown breaks the isolation between different applications using a flaw in the Kernel on machines with vulnerable processors (Intel, Apple). It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
How to Enable Protection for On-premises and Cloud Environments
Microsoft has provided instructions for recommended actions that enable protection of servers against these vulnerabilities. Some of these are detailed in the following link: Microsoft Protections Against Meltdown and Spectre.
Impact to Enterprise Cloud Services
Microsoft has provided updates of the impact of these flaws on enterprise cloud services in the following link: Impact to Enterprise Cloud Services.
Amazon Web Services Linux Protection Recommendations
All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads. The following link provides further recommendations and updates. Recommended Customer Actions for AWS.
Conclusion
It must be added that Public Cloud providers like Microsoft Azure and Amazon AWS are well ahead of the curve when it comes to security. Cloud providers got on top of this way before most of the industry. Public Cloud providers like Amazon AWS and Microsoft Azure are also much safer than on-premise sites considering that they employ a large and formidable army of security professionals and resources.
Personal computer users are also strongly advised to immediately download and install patches and updates available for their operating systems.
