Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive
A significant security flaw in Intel's microprocessors sent all of the major public cloud providers into patching overdrive this week, even as many tried to play down the significance of this particular vulnerability.
Intel Corp. (Nasdaq: INTC), which is currently the world's second largest provider of microprocessors, is a significant player in the data center and cloud markets, and the company's x86 CPU underpins the infrastructures of the hyperscale facilities that support various public cloud platforms. (See Hyperscale Data Centers Continued to Grow in 2017.)
In response, Amazon Web Services Inc. , Microsoft Corp. (Nasdaq: MSFT) and Google (Nasdaq: GOOG) all sent out patching and security information to customers this week. While the flaw in the Intel chips cannot be fixed, the operating systems can be patched to prevent hackers from taking advantage of the vulnerability.
The flaw was first reported in a paper published by Graz University of Technology in Austria. Researchers found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory.
This, in turn, can allow the hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.
On Security Now, Curtis Franklin has a complete rundown of how the flaw works and the security implications. (See New Intel Vulnerability Hits Almost Everyone.)
Microsoft has the most at stake in this patching scramble.
Not only is the company's Azure platform the second-largest public cloud platform in the world, the company's Windows operating system is closely coupled with the x86 chip architecture and runs in a significant amount of global data centers.
However, to be fair, Linux operating systems need patching as well.
In a January 3 blog post, Microsoft noted that it is aware of the flaw and that once customers reboot their virtual machines (VMs), it would apply the patch. However, Redmond noted that it planned to accelerate its patching schedule this week to address the security issue.
"The majority of Azure infrastructure has already been updated to address this vulnerability," according to Wednesday's post. "Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required."
AWS, the world's largest public cloud provider, noted in its own post that this type of CPU flaw has been known for about 20 years and can affect AMD and ARM chips, as well as Intel processors. However, Amazon noted that a small percentage of its EC2 fleet was being patched to address the issue late Wednesday.
Amazon also noted that it is patching its own version of Linux and warning customers to look out for updates to Windows.
In its own lengthy post, Google noted that some of the problems with the Intel vulnerability, specifically the flaw with "speculative execution" that helps optimize CPU performance, had been disclosed by its own Project Zero team in 2017.
The search giant also pushed up notification from January 9 to address the security issues that had been made public. A full Project Zero report on the flaw is also in the works.
"As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data. We have updated our systems and affected products to protect against this new type of attack," according to the post.
In addition to its own products and services, Google noted that some customer action might be needed to address concerns with its Google Compute Engine, Kubernetes Engine, Cloud Dataflow and Cloud Dataproc.Related posts:
- MIT Warns of Ransomware in the Cloud, Weaponized AI
- 10 Cloud Stories That Mattered in 2017
- AWS Reportedly Eyeing Deal for Big Data Startup Sqrrl
- HyTrust DataGravity Acquisition Bears Fruit for Cloud Security