An academic research paper suggests the Meltdown vulnerability most seriously impacts cloud providers, particularly if guests on the platform are not fully virtualized. They have verified that the exploit, which breaks down the isolation between different applications, can affect products made by Intel, AMD and Arm.
Microsoft patched Windows against the vulnerabilities on Wednesday, but said certain systems would not receive the patch on release, due to a clash with some anti-virus software.
The processors often handle data, like a password or encryption key, that is supposed to be kept from other apps.
Google’s Project Zero security team became aware of the flaws late past year and said it had been working to protect its services, including G Suite applications and Google Compute Platform (GCP). Thankfully, it appears that’s not the case as Intel has already rolled out updates which it states make it “immune to the Meltdown and Spectre exploits”. Our team is proud to be in the ranks of cloud giants like Google, Amazon, and Microsoft in demonstrating our capability to respond and defend those customers who make us successful.
Google: “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance”.
While hackers will find it harder to use the Spectre exploit, it is also more challenging for computer manufacturers to ward off, the researchers said. “This includes microcode from device OEMs and in some cases updates to AV software as well”, the company said. These issues notably affect the Intel chips that power the overwhelming majority of cloud servers now running, but other processors – including some designed by AMD and Arm – seem to be affected. For instance, AWS said in its statement that the flaw has existed for over 20 years, and that prior to Wednesday, only a very small percentage of Amazon EC2 instances remained unprotected.
In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers.
Microsoft said it had been aware of the vulnerabilities and had been working on fixes for some time.
Microsoft has since released patches for all supported versions of Windows, and Intel has released firmware updates. It did however say that most users wouldn’t notice the change. Bypassing pre-fetch and going out to the disk to retrieve data avoids that vulnerability, but that extra work will impact performance.