All the major players, including Google, Microsoft and AWS are working hard in order to fix security bugs recently found on most CPU architectures and across all operating systems.
The security bugs, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which affect CPUs from Intel, ARM, and AMD as well as Windows, Linux and iOS operating systems as well as other computing devices based on those chips, have been filling news posts for a couple of days.
Google, who has published an extensive blog post regarding the security issue, has formed an internal security team last year, named Project Zero, has found multiple methods of attack that can take advantage of these vulnerabilities.
To be precise, the team has discovered three methods (variants) of attack, all of which can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.
Google also noted that attackers can use a virtual machine to access the physical memory of the host machine, which is a serious issue.
Google has updated its Google Cloud Platform (GCP) with all known vulnerabilities and has noted that Google’s Kubernetes Engine (GKE) is protected against the bugs but customers need to update their runtime environments.
Microsoft has the same problem, but the company has issued a blog post noting that the CPU bug did not result in any known attack on its Azure cloud platform. The company also plans updates that should be coming soon.
Amazon’s public notice on Reddit is particularly interesting. The company notes that only a small percentage of instances across its Elastic Compute Cloud (EC2) platform have not been protected and those should be fixed soon.
Amazon has also issued updates for Amazon Linux and the updated EC2 Windows AMIs will be available as soon as Microsoft patches become available.
Interestingly, Amazon notes that this is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices.
Hopefully, Intel, which appears to be the most affected CPU maker, and others, will be able to patch up these bugs without any significant impact.