Meltdown and Spectre. What are they?
A new computer security vulnerability has been disclosed in the past few days, discovered by Google Project Zero, named Meltdown and Spectre. Essentially, the two issues allow unauthorised access to data, potentially even across virtual machines (VMs). This means, regardless of access levels, one VM could read sensitive information from another VM.
Meltdown affects all Intel CPUs produced since 1995, except Itanium, and is possible to fix with a software patch. As widely reported in the mainstream media, the downside of the patch is a potential performance penalty. However this performance deficit is difficult to quantify and depends significantly on the specific workload being run on the CPU. So far it is ranging from 0% to 30%, depending on the workload.
Spectre on the other hand affects nearly every processor on the market and is related to the actual processor architecture. Consequently, there is no software fix. Hardware vendors are expected to release updated firmware to mitigate the issue. However, only a hardware change can permanently prevent this issue.
The impact on Microsoft Azure
Microsoft has been quick to release a patch for all currently supported Operating Systems. Windows 10 patches have been released to install as of today, ahead of ‘Patch Tuesday’.
Microsoft had initiated a maintenance period beginning 28th December, which included platform updates to mitigate the Meltdown and Spectre issues. However due to the disclosure and potential risk of an active exploit being developed, they have brought forward the completion of the maintenance window from next week to now (as of time of writing).
As a result, many Azure VMs will be rebooted automatically as required by Microsoft. You cannot control when this happens and a specified timeframe cannot be provided on a per machine or tenancy basis. Due to the accelerated timescale Microsoft has also removed the self-service maintenance window option which had been open since 28th December 2018.
The article from Microsoft here details the impact.
Microsoft has released several patches today which should be installed as a priority for Windows Servers. Windows 10 will automatically install these today (4th January 2018) whereas corporate update systems will be updated in line with standard ‘Patch Tuesday’ schedules. Patch installation will require the system to reboot.
If your Windows Server is an Azure VM then it may have 2 reboots in quick succession, one due to Microsoft Azure host platform updates, and one to install the client OS patch.
The patches only fix the Meltdown exploit, not the Spectre vulnerability. Just to re-iterate, hardware vendors are expected to release firmware updates to mitigate the effect of the Spectre vulnerability. However, for secure systems the only permanent fix is to replace the CPU with a non-susceptible unit, a potentially costly exercise.
Read more on Meltdown and Spectre
As always, it’s prudent to keep up to date on security issues and with patches and software updates. If you have an immediate need for help please complete the contact form. We also post regular blogs about security so please do follow us.