Spectre & Meltdown: Mitigation Status

UPDATE 20170104: US-CERT has published an alert with aggregated links to vendor guidance and updates.

Rather than requiring you to chase info all over the Internet (or on Twitter), we’ve aggregated information about the Meltdown and Spectre vulnerabilities here for your convenience.

Overview

Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.

So far, there are three known variants of the issue:

• Variant 1: bounds check bypass (CVE-2017-5753)
• Variant 2: branch target injection (CVE-2017-5715)
• Variant 3: rogue data cache load (CVE-2017-5754)

To exploit the issue on an unpatched system, an attacker would only need to be able to execute code. This means that shared (cloud) systems are particularly vulnerable, and Mozilla confirmed that it is possible to use similar techniques from Web content to read private information between different origins, so it could be exploited on a vulnerable browser simply by visiting an attacker-controlled site.

More Detail:

• Speculation that (presumably) led to early release: [PythonSweetness]
• High-level overview from Project Zero
• More detailed information̉ from Project Zero
• Very well done Spectre and Meltdown explanation from @malwarejake

Original papers:

• Meltdown Vulnerability
• Spectre Vulnerability

Mitigating the issue

Given the seriousness of this issue, the collective response from vendors has been outstanding. Here’s a look at our current status:

Hardware Vendors

• Intel: Updates available. [Analysis]
• AMD: No updates required beyond OS patches.
• ARM: Response.

Cloud Providers

• Amazon Web Services: Mitigated.
• Microsoft Azure: Mitigated.
• Google Compute Engine: Mitigated.
• Rackspace: Not Yet Mitigated (2018-01-04 11AM PST).
• Linode: Linode Kernel updated (2018-01-05). Updates still in progress
• Digital Ocean: In progress (2018-01-05).

Operating System Vendors

• Android: Update available!
• Linux: Some updates available! In some cases, you’ll need to manually update the kernel. Distribution specific patches are still coming together with some already available through normal update channels. New mitigations are still being discussed at time of writing.
  • Ubuntu response
  • SUSE response
  • RHEL response
• OSX: Update available! (Detail)
• Chrome-OS: Update available!
• Windows 7: Update available!
• Windows 8.1, 2012R2: Update available!
• Windows 10: Update available!
  • An official Powershell tool has been providedˀto query status of Windows mitigations for CVE-2017-5715 (branch target injection) CVE-2017-5754 (rogue data cache load). (Server, Client)
  • An Older (unofficial) check tool was provided .by @aionescu.

Antivirus Vendors

Individual Antivirus Vendor responses can be found here. (Thanks @gossithedog!)

Browser Vendors

• Apple Safari: None available (2018-01-05 4PM PST), but Apple indicates one is coming.
• Google Chrome: Update available on the the 23rd. (Immediate workaround)
• Microsoft Edge: Update available!
• Mozilla Firefox: Update available!

This documents details a current security event affecting many modern microprocessor designs. Information may change rapidly as the event progresses, and more info or commands added here soon.