Major hardware and software vendors have issued updates on the Meltdown and Spectre security vulnerabilities which went public this week, promising that fixes for both are in the pipeline and will be available in the coming week.
Initially revealed ahead of a scheduled cross-vendor announcement, the Meltdown and Spectre vulnerabilities are serious. Stemming from the use of speculative execution to speed up the performance of modern processors, Meltdown is an Intel-specific issue and has a five to 30 percent performance impact on selected non-consumer workloads in its initial patch; Spectre, by contrast, affects almost every mainstream processor released since 1995 but has little to no performance impact once patched. A fourth variant, a version of Meltdown given the moniker Variant 3a, has also been confirmed as affecting non-Intel parts.
Microsoft and Linux were the first out of the gate with patches to protect against the vulnerabilities, which can be exploited through a web browser and allow access to supposedly-protected kernel memory regions - allowing a malicious advert, for example, to steal passwords and other privileged information. Patches to the Linux kernel are available now and will begin rolling out to end users shortly, while Windows Update has received an out-of-band patch - though one which won't install without a specific non-default registry key being set. Google's Android, too, is protected as of the latest security patch, though third-party vendors like Samsung and HTC typically lag behind this by a period of a month or more.
Since the public announcement, other companies have rushed forward to state that patches are in the works. Intel pledges to have updates for 'more than 90 percent of processor products introduced within the past five years' out with customers by the end of next week, though is presently silent on whether it will do the same for older parts, while Arm released Linux kernel patches and has confirmed that Spectre affects all tested Cortex-A and Cortex-R chips with Meltdown Variant 3a affecting Cortex-A15, A57, and A72 parts.
Software vendors, meanwhile, are also working to mitigate the issue. An update to Mozilla's Firefox browser, bringing it to 57.0.4 in the stable release and 58beta14 in the pre-release branch, introduce protections against Meltdown and Spectre exploitation through the browser, while Google's Chrome will soon receive the same protections. Apple, meanwhile, continues to work on protections for its users, with the company confirming that Spectre affects its entire product range including Arm-based iPhone and iPad portables.
With demonstrations of the attacks being used to capture passwords already spreading, users are advised to keep their software up-to-date and check with vendors for patch statuses as the updates are rolled out.
February 17 2020 | 09:00