AWS, Other Top Clouds Respond to Processor Security Flaw
News this week of a widespread PC processor vulnerability has prompted the industry's top cloud providers to issue assurances to their customers.
The flaw, which was described late Tuesday by The Register, abuses a modern processor's design to potentially give hackers access to a computer's kernel memory. The flaw affects both personal PC systems and shared hardware like public cloud servers.
Early reports originally pinned the vulnerability on Intel processors. However, findings from Google and others indicate that the flaw is present in most modern processors, including those from ARM and AMD, in addition to Intel.
In the wake of the news, leading cloud providers Amazon Web Services (AWS), Google and Microsoft Azure each issued statements on Wednesday afternoon describing the steps they have taken to protect their cloud environments and customers.
Each vendor indicated that they've known about the vulnerability since before Tuesday's disclosure, and that they've already been buttressing their computing environments accordingly. For instance, AWS said in its statement that the flaw has existed for over 20 years, and that prior to Wednesday, only a very small percentage of Amazon EC2 instances remained unprotected.
"The remaining ones will be completed in the next several hours, with associated instance maintenance notifications," AWS said.
For Microsoft's part, the company said in a statement that it has already secured "the majority of [its] Azure infrastructure" against the flaw. In addition, most Azure customer environments should already be protected due to a required system reboot that Microsoft recently implemented.
"Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required," Microsoft said.
As for Google, the company said its entire Google Cloud Platform has "already been updated to prevent all known vulnerabilities."
The providers noted that customers still need to patch their own operating systems to ensure top-to-bottom protection.