AWS, Microsoft, Google and more respond on chip vulnerability issue

James is editor in chief of TechForge Media, with a passion for how technologies influence business and several Mobile World Congress events under his belt. James has interviewed a variety of leading figures in his career, from former Mafia boss Michael Franzese, to Steve Wozniak, and Jean Michel Jarre. James can be found tweeting at @James_T_Bourne.

Leading cloud providers have said they are aware of and working on securing systems after the disclosure of two major chip-level security vulnerabilities earlier this week.

As first reported by The Register, a ‘fundamental’ design flaw in Intel’s processor chips, dubbed Meltdown, was followed by another flaw, called Spectre, found in chips from Intel, AMD and ARM. The latter was confirmed by Google researchers in a blog post published yesterday.

The key to the vulnerability is through a processor technique called ‘speculative execution’. In other words, modern processors can estimate what task needs to be done next, and if it is correct, then is executed in a much quicker time than otherwise. As the Google blog notes, malicious actors ‘could take advantage of speculative execution to read system memory that should have been inaccessible’, such as passwords or encryption keys.

So how does this affect cloud providers? A blogger going under the name of Python Sweetness asserted on January 1 that the vulnerability will affect major cloud providers. “There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine,” the post reads.

In a security bulletin, Amazon Web Services (AWS) said ‘all but a small single-digit percentage of instances across the Amazon EC2 fleet’ were already protected. Microsoft said in a statement that it was “in the process of deploying mitigations to cloud services”, as well as releasing security updates. Google issued a bulletin for its cloud products with Compute Engine, Kubernetes Engine, Cloud Dataflow and Cloud Dataproc requiring updates, while a statement from Josh Feinblum, chief security officer at DigitalOcean, recommended server reboots for users and promised urgent maintenance if this was unsuccessful.  

A statement from Intel issued yesterday said the company was committed to product and customer security and was working with AMD, ARM, and others ‘to develop an industry-wide approach to resolve this issue promptly and constructively.’

“Intel has begun providing software and firmware updates to mitigate these exploits,” the statement added. “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

AMD also issued an update, stressing the importance that the research was performed in lab conditions and the threat had not been seen in the public domain.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

One comment on “AWS, Microsoft, Google and more respond on chip vulnerability issue

  1. Jonathan Levitt on

    The most severe one has an entry date of 20181113 (almost 1 year ago) and does not even have a any details even after the fix was issues so it goes to show that is must be so severe and easy to execute that they must wait until most of the CPUs are patched before releasing any information. However, we are confident that those major companies will fix this kind of issue as soon as possible. Jonathan from https://redbytesite.com/

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *