What are Meltdown and Spectre?
Last week, security exploits known as “Meltdown” and “Spectre” became a matter of extensive discussion in the technology world. There's been a lot written about these security vulnerabilities since they've been discovered, and we at Neverware suggest reviewing some of what’s already written if you’re interested in building an understanding of what Meltdown and Spectre are on a technical level, as well as how they can affect you:
What actions should CloudReady users take?
CloudReady, similar to Chrome OS, has automatic updates turned on by default, so for most customers and users no action is necessary in order to receive security fixes.
To ensure your school or business receives security updates as soon as they are available, make sure you have whitelisted domains listed at network.neverware.com on your organization’s networks, and that you are not blocking/disabling device updates in your Google Admin console.
One of the reasons we believe in CloudReady is because it makes updates, whether for features or security, seamless and automatic. Scenarios like this one highlight just how important it is to choose an operating system and management paradigm that allow for machines to be rapidly updated when threats are discovered.
Another optional action is to enable an experimental Chromium browser feature called "Site Isolation". Site Isolation will help combat the Spectre exploit by ensuring that
"pages from different websites are always put into different processes, each running in a sandbox that limits what the process is allowed to do. It also blocks the process from receiving certain types of sensitive documents from other sites. As a result, a malicious website will find it more difficult to steal data from other sites, even if it can break some of the rules in its own process."
Site Isolation is an experimental feature in CloudReady v61, and may include some drop in performance. You can read more about these tradeoffs, and how to turn on Site Isolation, by visiting this Google support article:
In CloudReady v63, it will be possible to enable site isolation as a management policy for your fleet of CloudReady machines. Read more about this coming option at:
How is Neverware responding to these issues?
Over the next 7-14 days, we plan on releasing CloudReady v61 to all Editions and release channels of CloudReady. Along with the kinds of improvements and new features that we normally include in releases, v61 will have several fixes to both our Linux kernel and the Chromium browser to help mitigate the Meltdown and Spectre security vulnerabilities.
What security patches are included in v61?
Similar to the work being done by Microsoft, Apple, and Google, we've started including patches to CloudReady to mitigate the risk posed by Meltdown and Spectre. Starting with our next release, v61.3, CloudReady will include an updated Linux kernel (v4.14.13 or later). This kernel upgrade includes kernel page-table isolation (KPTI) fixes that have been written and reviewed by the Linux Kernel development community specifically to help address this issue. The Linux Kernel is worked on by a broad consortium of commercial and individual contributors, and these fixes are the same ones being included in other Linux distributions.
Neverware regularly updates the Linux kernel included in CloudReady, so we plan on including any additional patches as they become available in the future.
Other and ongoing security patches
In addition to kernel-level fixes, we are investigating a number of changes that have been developed for the Chromium browser in response to Meltdown and Spectre. You can read about Chromium's plans to mitigate Meltdown and Spectre here: https://www.chromium.org/Home/chromium-security/ssca
Neverware currently expects to start by releasing only the kernel-level patches as we continue to investigate and test changes specific to the Chromium browser, but ultimately we will continue in our commitment to delivering the same security enhancements that Google and the wider Linux community agree upon, including those targeted specifically at Meltdown & Spectre.
We will update here on our blog if any developments lead to a material change in the security plans detailed above, but if you have other questions you are always welcome to reach out to us via the usual methods referenced below.