Meltdown and Spectre are already causing trouble, even if there’s no evidence that cyber-attackers have weaponized the critical processor flaws.
On Jan. 3, the Google Project Zero team of security researchers published its findings on the two CPU vulnerabilities that collectively affect most modern processors from Intel, Advanced Micro Devices (AMD) and Arm. Microsoft was quick to issue emergency patches, but some hardware operating system combinations are proving to be problematic for some users who followed the urgent recommendations of cyber-security experts and updated their systems before Meltdown and Spectre attacks surface and cause serious data breaches.
“These vulnerabilities allow malware to read the computer’s memory, effectively giving access to sensitive user data such as passwords, cryptographic keys, banking information, and so on,” Frederik Mennes, senior manager of market and security strategy at VASCO Data Security’s Competence Center, told eWEEK in email remarks. “Many servers hosting cloud services are equally vulnerable to these flaws. Users should patch the firmware and software of their devices as soon as possible, and should also be extra cautious when downloading software from unknown or suspicious sources.”
It’s prudent advice any time a major vulnerability is discovered and fixed, but on occasion, the remedy can be worse than the disease.
In recent days, many PC owners who applied the early Windows 7 “monthly rollup” patch (KB4056894) that addresses the Meltdown and Spectre vulnerabilities took to Microsoft’s online support forums, Reddit and other technology discussion sites to vent their frustrations with the update.
Several users reported that after applying the patch on Windows 7 systems with AMD chips—Athlon 64 CPUs in particular—they were greeted with a Blue Screen of Death (BSOD), rendering their PCs inoperable. The Windows 10 flavor of the patch (KB4056892) is also causing bootup problems for some users with AMD-based systems.
Their complaints aren’t falling on deaf ears. “We are aware of the reports and are investigating,” a Microsoft spokesperson told eWEEK in response to an email inquiry.
Intriguingly, in AMD’s response to Google Project Zero’s findings, the chip maker downplayed the effects of the Meltdown and Spectre flaws on its processors. Between software patches and the differences in AMD’s microarchitectures compared to its rivals, the company’s chips are largely immune to the so-called “speculative execution” vulnerabilities, AMD claimed.
Meanwhile, IT vendors are taking stock of what flaws like Meltdown and Spectre mean for an industry that is becoming increasingly reliant on cloud servers.
Google recently assured its cloud customers that it had already patched its systems, which may not have been apparent to users expecting to have to reboot their instances after the changes were applied. “Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers,” wrote Google executives in a Jan. 5 blog post. “Via live migration, we can patch our infrastructure without requiring customers to reboot their instances.”
AWS (Amazon Web Services) patched many of its cloud services and issued guidance on how customers can protect themselves. A Microsoft spokesperson informed eWEEK on Jan. 4 that the software giant was working on deploying mitigations to its Azure cloud services portfolio.