Content, Breach

Amazon AWS, Google Cloud and Microsoft Respond to Intel Meltdown, Spectre Bugs

Amazon, Google and Microsoft are updating their cloud services and other products in response to the Intel Meltdown and Spectre microprocessor bugs, according to CNBC. The cloud services and product updates come after Intel officially commented on Meltdown and Spectre on Wednesday.

Amazon Web Services (AWS) yesterday posted a bulletin about Meltdown and Spectre, noting "a small single-digit percentage of instances across the Amazon EC2 fleet already protected." AWS also planned to safeguard all remaining Amazon EC2 instances over the course of several hours.

AWS has notified customers via email about a major security update that is expected to take place Friday, The Register reported. Furthermore, AWS has published an updated kernel for Amazon Linux. The kernel is available within Amazon Linux repositories, and all instances launched with the default Amazon Linux configuration now automatically include the updated package.

Google Cloud Platform: Patching Meltdown, Spectre

Google has released a list of products and their current status against Meltdown and Spectre. It indicated that users of the following Google Cloud Platform services need to take additional action to address the security flaws:

  • Google Cloud Dataflow.
  • Google Cloud Dataproc.
  • Google Compute Engine.
  • Google Kubernetes Engine.

Microsoft Azure will undergo maintenance and reboots on Tuesday, The Register pointed out.

In addition, Microsoft has patched its cloud services and current and older versions of Windows for servers and desktops. The company is working with chip manufacturers to develop and test mitigations to protect its customers against Meltdown and Spectre, a Microsoft spokesperson stated.

A Closer Look at Meltdown and Spectre

Meltdown and Spectre were first reported by The Register earlier this week. Meltdown is known to affect Intel chips, while Spectre may affect chips from Intel and many other vendors. In response, MSP-centric vendors like Datto have been offering guidance as partners prepare to tackle patch management for the bugs.

Both Meltdown and Spectre have been present in modern processors produced in the past decade and allow database applications, JavaScript, web browsers and other administrator and user programs to identify the layout or contents of protected kernel memory areas, The Register reported.

Meltdown and Spectre enable malware and hackers to more easily exploit other security bugs, according to The Register. They can be used to read the contents of a kernel's memory that otherwise is hidden from administrator and user processes and programs.

Meltdown and Spectre may cause processors to slow down, and their overall impact varies based on the processor model and task being performed, The Register indicated. However, Intel denied the performance hit claims. Moreover, security patches and updates may prove to be critical as administrators and users search for ways to limit the impact of these vulnerabilities.

The U.S. Computer Emergency Readiness Team (US-CERT) is aware of Meltdown and Spectre and noted these vulnerabilities "could allow an attacker to obtain access to sensitive information." To address Meltdown and Spectre, US-CERT has recommended administrators and users review Vulnerability Note VU#584653Microsoft's Advisory and Mozilla's blog post for additional information and refer to their operating system vendor for appropriate patches.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.