Tackling the security vulnerability affecting Intel CPUs

In the last few days, there’s been a lot of discussion of a security flaw (Meltdown and Spectre) affecting the X86 CPU architecture and more specifically Intel CPUs. It was discovered by Google some time ago and was not scheduled to be made public just yet. However, growing information and leaks online led to Google releasing it early. This forced Microsoft to release the hotfix for Windows and the Microsoft Azure planned VM maintenance scheduled for 10th January has been brought forward to happen almost immediately.

What’s the problem?

The problem is what’s called Speculative Execution – a feature of a processor designed to improve performance by guessing what the processor is likely to be needed for next and trying to pre-fetch some of that data. A flaw in this process allows an unauthorised individual to read kernel level memory from the processor.

What this means that even a browser-based JavaScript can read this information; just browsing a website with the wrong JavaScript file loaded could dump all the data out of your processor. This is bad enough on a single machine. In a shared environment where VMware ESXi, Hyper-V or another hypervisor is in use, it could return data from the CPU about other virtual machines on the host. In a cloud environment, such as Amazon AWS EC2 instances or Microsoft Azure IaaS VMs, this could allow data to be read back from a VM belonging to another tenant running on the same host.

Who’s fixing it?

It appears that the fix has to come from the operating system vendors such as Linux and Microsoft and requires them to rewrite a portion of the OS kernel. The Microsoft hotfix for the issue has already been released for Windows 7 SP1 and all later operating systems, including client and server variants.

The downside is that reports so far are showing that performance of certain I/O operations will be impacted by between 5 and 30 percent once the patch is applied, with database and file servers most likely to take the hit. We’ll continue to monitor this as the situation develops.

What are we doing?

Since becoming aware of this on Wednesday, our engineers have been proactively reviewing all our managed services. For the backend host infrastructure we are currently progressing the required remediation.

We urge customers where patching is not part of their current service, to check details around this vulnerability for their vendor and ensure that their systems are secured. Further details can be found here. We’ll contact customers individually to discuss any remediation work that is identified, depending on the results of our scans.

If your contract does not include patching services and/or Desktop as a Service, or are not currently a Fordway customer our Consultancy services can provide help. Please contact us for more information.