React, Flux, GraphQL, Hack, HHVM...? All of this and more!
An update to the Linux Kernel has been released. A week later than scheduled, the release 4.15 brings mitigations to the Meltdown and Spectre vulnerabilities.
In a twist of Irony the latest version of the Linux shipped the same weekend that Microsoft rolled back it's Windows Spectre patch citing issues with stability and memory corruption.
The two vulnerabilities have yet to come with large scale exploits, but with Linux being the most common Operating System in for server farms it is important. Linux is now running everything from Google to Facebook to IaaS providers like AWS and GCS down to PaaS offerings like Platform.sh and Heroku.
The Kernel is the core code in the operating system managing low level tasks. In the update both vulnerabilities are explicitly addressed. For Meltdown avoidance (Intel CPUs only) there is a feature called Page Table Isolation (PTI) that prevents exploiting Speculative Execution. Users can choose to turn it off with a special "pti=off" kernel boot option.
There are infact three instinct vulnerabilities identified, one Meltdown and two variations of Spectre. Spectre are known as v1 and v2. Kernel 4.15 does include a patch for Spectre variant 2 (v2), but for the v2 there is still work to be done.
For Spectre v2 the fix for both Intel and AMD processors, the fix comes in the form of a retpoline mechanism. It requires use of a compiler (GCC) that is compatible, so users will need to update accomplying fixes as well. As with the Meltdown fix, the Spectre fix can also be explicitly disabled at own risk.
So the Spectre v1 vulnerability is still at large, but difficult to exploit. Currently Windows Server machines have a working patch for v1, but not v2 - technically you could protect yourself by running the latest Kernel fix virtualized on the latest Windows Server release.Tweet