NOTE: Microsoft
released Security Advisory 18002 on Wednesday, January 3, 2018
announcing mitigation for a major vulnerability to Windows in modern CPU
architectures. ESET released Antivirus and Antispyware module 1533.3 the same
day to all customers to ensure that use of our products would not affect
compatibility with Microsoft’s patch.
Background
The first few days of 2018 have been filled with
anxious discussions concerning a widespread and wide-ranging vulnerability in
the architecture of processors based on Intel’s Core architecture used in PCs
for many years, as well as processors from AMD. The scope of the
vulnerability is wide-ranging, affecting everything from the ARM processors
commonly used in tablets and smartphones to the IBM POWER processors used in
supercomputers.
At the time of this writing, not all details have
been released, but reportedly the issue is that programs running in user-mode
address space (the “normal” range of memory in which application software,
games and the like run) on a computer can infer or “see ” some of the
information stored in kernel-mode address space (the “protected” range of
memory used to contain the operating system, its device drivers, and sensitive
information such as passwords and cryptography certificates).
Fixes to prevent user-mode programs from “peering
inside” kernel-mode memory are being introduced by operating system vendors,
hypervisor vendors and even cloud computing companies, but it appears the
initial round of patches will slow down operating systems to some extent.
The exact amount of slowdown is open to debate. Intel has stated the
performance penalty will “not be significant” for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%,
depending upon what the computer is doing.
History
A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since
information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.
Processor manufacturer AMD announced that they are
unaffected, according to reports on CNBC and a message to the Linux Kernel Mailing List by an AMD engineer,
but reports from both Google‘s Project Zero and Microsoft state that AMD processors are affected. Since
then, AMD has
released a statement for clarification.
The Microsoft article goes on to note that this is
not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and
macOS as well. Red Hat‘s advisory includes IBM’s POWER architecture as being
vulnerable. Hypervisor manufacturers VMware and Xen
have issued their own advisories, as has Amazon Web Services.
Affected Vendors
Here is a list of affected vendors and their
respective advisories and/or patch announcements:
|
Vendor
|
Advisory/Announcement
|
|
Amazon (AWS)
|
|
|
AMD
|
|
|
Android (Google)
|
|
|
Apple
|
|
|
ARM
|
|
|
Azure (Microsoft)
|
|
|
Chromium Project
|
|
|
Cisco
|
|
|
Citrix
|
|
|
Debian
|
|
|
Dell
|
|
|
F5 Networks
|
|
|
FreeBSD
|
|
|
Google's Project Zero
|
|
|
Huawei
|
|
|
IBM
|
|
|
Intel
|
|
|
Lenovo
|
|
|
Microsoft
|
Security Advisory 180002: Guidance to mitigate
speculative execution side-channel vulnerabilities
Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities Windows Server guidance to protect against speculative execution side-channel vulnerabilities SQL Server Guidance to protect against speculative execution side-channel vulnerabilities Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software |
|
Mozilla
|
|
|
NetApp
|
|
|
nVidia
|
|
|
Raspberry Pi Foundation
|
|
|
Red Hat
|
|
|
SUSE
|
|
|
Synology
|
|
|
Ubuntu
|
|
|
VMware
|
|
|
Xen
|
Complete article on: