Oracle patches Spectre and Meltdown chip flaws
- 17 January, 2018 13:56
Oracle has said it will issue a critical patch that provides fixes for certain of its products for the Meltdown and Spectre chip flaws, both of which affect Intel chips.
The critical patch contains 237 new security fixes across several Oracle products, the company said on its website.
“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities,” the vendor said.
Separately, technology website The Register reported, citing a document in Oracle's customers-only portal, that certain versions of Oracle Solaris on SPARCv9 are affected by one of the chip flaws, named Spectre, and the company was working on a security patch for it.
Oracle declined to comment on the report.
On 3 January, security researchers disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel, Advanced Micro Devices and ARM Holdings.
One of the bugs is specific to Intel but another affects laptops, desktop computers, smartphones, tablets and internet servers alike. Intel and ARM insisted that the issue was not a design flaw, but it will require users to download a patch and update their operating system to fix.
“Phones, PCs, everything are going to have some impact, but it’ll vary from product to product,” Intel CEO Brian Krzanich said in an interview with CNBC Wednesday afternoon.
Researchers with Alphabet's Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered two flaws.
The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer's memory, potentially letting hackers read a computer's memory and steal passwords.
The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.
Several other global software vendors have already issued patches for the vulnerabilities, including Microsoft and Apple.
(Reporting by Ismail Shakil in Bengaluru; Editing by Sandra Maler; with Douglas Busvine, Stephen Nellis and Salvador Rodriguez; additional reporting by Jim Finkle and Laharee Chatterjee; editing by Peter Henderson and Lisa Shumaker; with ARN Staff)