Cloud Giants AWS, Google And Microsoft React To Meltdown; Solution Providers Remind Customers To Update, Patch Systems

Cloud leaders Amazon Web Services, Google, and Microsoft have told partners and customers that they are working on updates and patches to their platforms and services to protect against the two significant chip-level security vulnerabilities – Meltdown and Spectre – that were revealed this week by researchers and academics.

Meltdown is a hardware vulnerability affecting laptops, desktop computers and internet servers using Intel x86 microprocessors. The flaw is said to allow unauthorized access to user data, including passwords and cached files.

Spectre, the less serious of the two security flaws, is a bug affecting smartphones, tablets, and computer chips from several vendors, including Intel, Advanced Micro Devices Inc. (AMD) and ARM. Spectre lets hackers manipulate applications into leaking sensitive information. Researchers that discovered the vulnerabilities on the chips said that between Meltdown and Spectre, nearly every modern computer and mobile device is impacted.

AWS, Google, and Microsoft communicated to partners and end users that they are aware of the security issues and have been working to prevent exploitation of their offerings. Solution providers can help protect their end customers by supporting a modern security patching infrastructure that includes regular firmware updates from device manufacturers and software providers.

[Related: Intel Downplays 'Inaccurate' Chip Security Flaw Report]

"It’s just another reminder that in 2018, partners need to be helping customers move to a model in which features are introduced monthly or quarterly, and security patches are introduced daily or weekly," said Reed Wiedower, chief technology officer for New Signature, a top Microsoft Azure partner.

The solution providers that support regular updates will be generally well protected from Meltdown and similar exploits, Wiedower said.

"By contrast, partners and customers that don’t patch their operating systems on a real-time basis are going to be put into a bit of a bind as they move forward," he added.

Microsoft told CNBC on Wednesday that it has been working closely with chip manufacturers to develop and test mitigations to protect its customers. The company is also making sure that Azure users aren't being exposed to vulnerabilities.

"The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect," Microsoft said in its blog post about the chip flaws.

As a further precaution, Microsoft told customers that it decided to accelerate its planned maintenance and began automatically rebooting the remaining impacted VMs on Wednesday afternoon. However, the company said that the majority of Azure customers wouldn't see a noticeable performance impact with the latest update.

In addition to its cloud patching efforts, Microsoft also said that it is updating its Edge and Internet Explorer browsers.

Open Systems Technologies (OST), an AWS partner and Microsoft Direct CSP and Gold Partner, is reaching out to its end customers and vendor partners as more information on the vulnerability comes to light, Michael Lomonaco, director of marketing and communications for OST, told CRN.

Grand Rapids, Mich.-based OST has been proactive on both real and perceived vulnerabilities that the security flaw may have created within its diverse customer environments, Lomonaco said. OST is a AWS Alexa for Business partner, and on the Microsoft side, the solution provider has customers on the Azure platform.

Lomonaco said that OST has been "feverishly" communicating via email and making personal calls to both customers and partners in order to make sure any impact is minimized, and any new information is shared.

"We [are] working to ensure necessary updates are made in a timely manner in order to minimize any potential exposure, slowdowns to workloads, and overall performance," Lomonaco said.

HighVail Systems, a Toronto consulting firm and Microsoft Azure partner, is still trying to get to the bottom of how Meltdown and Spectre will impact its customers. In the meantime, the solution provider is encouraging customers possibly impacted by Meltdown to "patch, patch, patch; and set up your infrastructure to be ready to quickly respond to these challenges," according to Bradley Brodkin, president and CEO of HighVail.

For Spectre, Brodkin is suggesting customers upgrade their servers when the next generation of hardware arrives, and to be "cautious about retiring [those older servers] and moving to the cloud."

Cloud giant AWS in a blog post called the vulnerability an issue that "has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices."

AWS assured partners and customers that all but a "small single-digit percentage" of instances across the Amazon EC2 fleet are already protected. At the time of the blog post on Wednesday, AWS said that the remaining unprotected instances would have been updated by Wednesday evening. The company added that in order to be fully protected against Meltdown and Spectre, customers must also patch their own instance operating systems.

Updates for Amazon Linux have also been made available to partners and end customers to update their instances.

Google, which Intel said was the first company to alert it to the vulnerability, said that it updated its public cloud service, Google Cloud, to prevent attacks related to Meltdown and Spectre.

"We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts," Ben Treynor Sloss, Google's engineering vice president wrote in a blog post. However, customers will need to update the operating systems they use on the Google cloud, the provider said.

Google also said that it is "actively working" with its technology partners to ensure that its other cloud-based offerings are updated and patched.