Vendors are rushing out fixes for the Meltdown and Spectre attacks that were disclosed on Wednesday. The hacks can occur in various ways, but ultimately users should be aware that both allow for an attacker to access the entire memory of a vulnerable computer. Smartphones and other devices containing the vulnerable Intel, AMD and ARM chips are open to either both or one of the attacks. Furthermore, Spectre attacks can be exploited over the Web just by visiting a website running the requisite malicious code; Meltdown attacks require the hacker to already have access to the computer.
Whilst some have suggested the only true fix is for chips to be replaced, that’s been deemed impractical for the general user and for most IT teams. Updates are rolling out, albeit haphazardly, and they’re currently the best way to get protected.
With that in mind, here’s a list of available fixes (all for Meltdown, except where Spectre is specified) from some of the biggest tech manufacturers around:
Google has released various pieces of guidance for users of Android, Chrome, Chrome OS and its myriad cloud services.
As noted in its overarching post, some user action is required on the behalf of Chrome and Chrome OS users, whilst many will have benefitted from automatic updates on Google’s servers. Head to that Google blog now to see what, if any, action is required. The tech giant also put out a “need to know” article for users of its cloud and Chrome products, and a full list of all affected tools.
The latest version of Android contains fixes, Google said. It was unaware of any successful exploitation of either Meltdown or Spectre on ARM-based Android devices.
Microsoft has released multiple advisories for both Windows machines and its Azure cloud.
Windows users can learn about the update from Microsoft here. Whilst a patch for Windows 10 is ready, other versions will be updated Patch Tuesday on January 9. One source told Forbes out-of-support operating systems like Windows XP will not get the update.
They should be aware, however, that Microsoft is only making the updates available to those with compatible antivirus products. As Microsoft noted in a blog post: “The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot.” If users are running an incompatible antivirus, Microsoft recommended they get in touch with their AV vendor to determine what steps to take. Cybersecurity practitioner Kevin Beaumont has created a useful open list of those antivirus products that are compatible, along with details on plans from those who aren’t.
As for Azure customers, they should be automatically protected, but Microsoft said some may need to reboot their virtual machines for the mitigations to be added. It also noted there shouldn’t be any noticeable performance impact. A full description of the updates can be found on the Azure blog.
Apple released its note on the issues late Thursday, noting that all its Mac and iOS devices were affected, but that it had already released some mitigations in iOS 11.2, macOS 10.13.2 and tvOS 11.2 to help defend against Meltdown. WatchOS was not affected, the Cupertino giant said. It’s also planning to release an update to Safari to protect users against Spectre.
As Meltdown would require a hacker to have some form of access to a Mac or iPhone, such as via remote control with malware, Apple recommended users only download tools from trusted sources such as the App Store.
Amazon Web Services cloud customers were advised Wednesday that only “a small single-digit percentage” of computing systems across its EC2 platform hadn’t been protected and that the remaining ones would be patched “in the next several hours.” Customers were told they must also patch their instance operating systems to be fully secured.
Intel has only issued a general, nontechnical response to the issues. It’s unclear when it will be releasing any updates on its side or if it’s relying on operating system vendors to patch in the short-term before making any alterations to its hardware.
AMD has also issued a general response with no specific fixes outlined. “Total protection from all possible attacks remains an elusive goal and this latest example shows how effective industry collaboration can be,” an online statement read. It recommended good security practice, including not clicking on unrecognized hyperlinks, using strong passwords, operating on secure networks and downloading regular software updates.
The company had initially said it believed there was near-zero risk to its products, though it admitted one of the Spectre attacks could exploit some of its chips, as outlined by the researchers.
ARM has released multiple pieces of guidance, including a whitepaper (PDF) outlining the technical problems and solutions.
In a blog post, it provided a handy list of all affected chips. That page also provides a useful list of what to do, depending on what operating system and hardware a user is running.
Mozilla has come up with a workaround in an attempt to prevent Spectre attacks. As noted by Mozilla software engineer Luke Wagner in a blog post: “Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox.” It’s available in Firefox versions from release 57 onwards.
A major provider of enterprise OpenStack virtualization systems and Linux operating systems, Red Hat announced a range of its products were affected, but that it had created patches. In its notice to customers, however, it appeared many versions of its software did not have patches ready. The company said it was continuing to develop appropriate fixes.
One of the biggest players in virtualization, VMWare, has released its list of affected products and a bunch of patches that should ease some of the pain for the many enterprises who use its software. Read it here.
Another of the large cloud and virtualization vendors, Citrix didn’t release any patches. Instead, it offered guidance to customers of its products and recommended they check for updates on relevant third-party software.