Patch/Configuration Management, Vulnerability Management

Spectre and Meltdown patches flow, hit flood stage

Patches have been flowing out fast and furiously to repair the kernel-level flaws found in Intel, and to a lesser extent in AMD and ARM processors, that could allow for remote code execution and access of kernel-level memory.

Although the problems have only been shown via proof of concept tests, Microsoft, Google and other firms have, or plan to, issue patches to eliminate the problem before it pops up in the wild. The three vulnerabilities are CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown), and CVE-2017-5715 (Spectre).

Microsoft pushed out an out of band series of security updates on Jan. 3 to address the issues and told consumers that they may need to install additional firmware updates from the device vendor as well.

Apple support said it plans to release an update for Safari, macOS and iOS in the next few days to mitigate the issue and that the fixes should only have a minimal impact on device speed. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected. In the meantime it reiterated the fact that the flaws are extremely difficult to exploit.

Google and Android's latest security update on Jan. 2 and report that its products should now be protected.

On Jan. 5 Amazon Web Services issued a statement saying that while only a small percentage of its servers were vulnerable all have been updated and are now secure. However, the company did suggest its customers update their operating systems to strengthen their protection.

AMD reported the issues had a negligible impact and the one area where there was a danger, Bounds Check Bypass, will be patched through software/hardware vendor updates.

Intel is following the same path pushing the responsibility for any fix telling customers to look for updates from its software and hardware vendors.

Linux has been releasing patches for several weeks to deal with the problems.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.