Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive

Scott Ferguson

A significant security flaw in Intel's microprocessors sent all of the major public cloud providers into patching overdrive this week, even as many tried to play down the significance of this particular vulnerability.

Intel Corp. (Nasdaq: INTC), which is currently the world's second largest provider of microprocessors, is a significant player in the data center and cloud markets, and the company's x86 CPU underpins the infrastructures of the hyperscale facilities that support various public cloud platforms. (See Hyperscale Data Centers Continued to Grow in 2017.)

In response, Amazon Web Services Inc. , Microsoft Corp. (Nasdaq: MSFT) and Google (Nasdaq: GOOG) all sent out patching and security information to customers this week. While the flaw in the Intel chips cannot be fixed, the operating systems can be patched to prevent hackers from taking advantage of the vulnerability.

The flaw was first reported in a paper published by Graz University of Technology in Austria. Researchers found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory.

(Source: Axonite via Pixabay)
(Source: Axonite via Pixabay)

This, in turn, can allow the hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.

On Security Now, Curtis Franklin has a complete rundown of how the flaw works and the security implications. (See New Intel Vulnerability Hits Almost Everyone.)

Microsoft has the most at stake in this patching scramble.

Not only is the company's Azure platform the second-largest public cloud platform in the world, the company's Windows operating system is closely coupled with the x86 chip architecture and runs in a significant amount of global data centers.

However, to be fair, Linux operating systems need patching as well.

In a January 3 blog post, Microsoft noted that it is aware of the flaw and that once customers reboot their virtual machines (VMs), it would apply the patch. However, Redmond noted that it planned to accelerate its patching schedule this week to address the security issue.

"The majority of Azure infrastructure has already been updated to address this vulnerability," according to Wednesday's post. "Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required."

AWS, the world's largest public cloud provider, noted in its own post that this type of CPU flaw has been known for about 20 years and can affect AMD and ARM chips, as well as Intel processors. However, Amazon noted that a small percentage of its EC2 fleet was being patched to address the issue late Wednesday.

Amazon also noted that it is patching its own version of Linux and warning customers to look out for updates to Windows.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

In its own lengthy post, Google noted that some of the problems with the Intel vulnerability, specifically the flaw with "speculative execution" that helps optimize CPU performance, had been disclosed by its own Project Zero team in 2017.

The search giant also pushed up notification from January 9 to address the security issues that had been made public. A full Project Zero report on the flaw is also in the works.

"As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data. We have updated our systems and affected products to protect against this new type of attack," according to the post.

In addition to its own products and services, Google noted that some customer action might be needed to address concerns with its Google Compute Engine, Kubernetes Engine, Cloud Dataflow and Cloud Dataproc.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

(2)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
1/10/2018 | 2:59:30 AM
AWS isn't worried?
> "Amazon noted that a small percentage of its EC2 fleet was being patched to address the issue late Wednesday."

Does that imply that AWS isn't as vulnerable as other cloud providers? Hmm. How does that work? 
1/10/2018 | 2:56:01 AM
TIL - Samsung Electronics overtook Intel in semiconductor manufacturing
I had to stop reading to find out who had displaced Intel as the top semiconductor maker -- to learn that memory chips made by Samsung pushed it ahead of Intel on a production numbers basis. Wow. 

But if we don't count memory, and just go by CPUs... it's still Intel #1, right? (Maybe not for long, now?)
More Blogs from Scott Ferguson

For the last several years, CIOs and IT professionals have been wrestling with two specific issues as they work toward a cloud-centric future: Agile IT and the rush toward digital transformation. While enterprises want to keep innovating, finding a starting point and knowing which projects to tackle first remain a major obstacle.

To get a better handle on Agile IT and digital transformation, Light Reading Managing Editor Scott Ferguson recently spoke to two experts in these fields: Dan Kearnan, senior director of marketing for cloud at SAP, and Roy Illsley, a distinguished analyst with Ovum.

From its roots in industrial farm machinery and other equipment, John Deere has always looked for a technological edge. About 20 years ago, it was GPS and then 4G LTE. Now it's turning its attention to AI, machine learning and IoT.
Artificial intelligence and automation will become more integral to the enterprise, and 90% of all apps will have integrated AI capabilities by 2020, according to Oracle CEO Mark Hurd.
IBM is now offering access to Nvidia's Tesla V100 GPUs through its cloud offerings to help accelerate AI, HPC and other high-throughput workloads.
CIO Rhonda Gass is spearheading an effort to bring more automation and IoT to the factories making Stanley Black & Decker tools and other equipment.
Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Sports Venues: Where 5G Brings a Truly Immersive Experience
By Peter Linder, 5G Evangelist, North America, Ericsson
Multiband Microwave Provides High Capacity & High Reliability for 5G Transport
By Don Frey, Principal Analyst, Transport & Routing, Ovum
All Partner Perspectives