|Technical Rating: |
|Published Date : 15 Jan 2018
Last Updated : 25 Jan 2018
Content Ref: TEC6046757
The following is Google product's status on mitigations against CPU speculative execution attack methods:
Google Chrome OS (Chromebooks, etc.)
Chrome on Chrome OS includes the Chrome browser mitigations mentioned above, including Site Isolation.
Chrome OS versions prior to 63 are not patched. To check the update status for your specific model, see this page. Chrome OS operating system started receiving version 63 on 15/12/2017.
'Chromebox for Meetings' devices run only trusted code from Google and are not at risk from this attack.
Intel Chrome OS devices on kernels 3.18 and 4.4 are patched with Kernel Page Table Isolation (KPTI) in Chrome OS 63 and above.
Older kernels will be patched with KPTI in a future release. Known attacks do not affect existing ARM Chrome OS devices, but these devices will also be patched with KPTI in a future release.
On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices.
The Android 2018-01-05 Security Patch Level (SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017.
Future Android security updates will include additional mitigations. These changes are part of upstream Linux.
Google-supported Android devices include Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL. Users should accept the monthly updates for January 2018 on Nexus or their partner devices to receive these updates. Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation.
Timing mitigation for ARM processors included in the 2018-01-05 SPL as CVE-2017-13218.
Other Intel and ARM Processor specific fixes provided to partners.
Any Chromebooks on version 63 and above are safe from the vulnerabilities.
|Checking Chromebook model|
To check if the model of Chromebook is protected against Spectre / Meltdown, then please refer to the following document published by Google:
The Protection State should indicate whether the model is protected, needs to be patched to operating system version 63 or is not protected/end of life.
Our current standard offering for Chromebooks is an HP Chromebook 11/14, which is generally noted as safe. HP Chromeboxes, however, will need to be updated to version 63 of the operating system.
|Checking operating system version from a Chromebook|
The operating system version of a Chromebook will be displayed on the top right-hand corner of the lock screen, as shown in the image below.
To view the Chromebook operating system version from an unlocked Chromebook, follow the steps below:
- Click Settings and then the menu bar.
- Click About Chrome OS. This should display the current Chrome OS version and allows you to check for any available updates.
|Checking operating system version from a G Suite tenancy|
If you wish to check the Chromebook operating system versions of all your enrolled Chromebooks, follow the steps below:
- From the Admin Console, click Device Management.
- Click Chrome Devices.
- Tick the 'Search all organisations' box and then click SEARCH.
- Click the serial number of the Chromebook you wish to check.
- Click the 'Hardware and OS' tab. The operating system version is displayed.
|Exporting Chrome OS version via Apps Script|
Step 1: Create new document
- Create a blank Google Sheets document.
- Click Tools and then Script Editor.
Step 2: Allow API access
- On the blank script page, click Resources.
- Click Cloud Platform project.
- Click the default project link which appears.
- In the Google Cloud console, at the top left-hand side, click the menu bar.
- Click 'APIs & services'.
- Expand ENABLE APIS AND SERVICES.
- Click Enable.
- Close this tab and return to the Apps Script.
- Click Close on the pop-up window.
- Click Resources.
- Click Advanced Google Services.
- Toggle the Admin Directory API to 'on'.
- Download the chrome_os_script.js file from the Download section below and copy all contents and paste them into the blank script page.
- The script will run in two parts:
- Part 1
- Go to Run, 'Run function'.
- Click getChromebooks.
- Part 2
- Once Part 1 has successfully finished, go to Run, 'Run function'.
- Click 'tableFill'.
Now return to the Google Sheet and all information should be there.
|Checking Android security version|
Any Android or Google devices which have been patched from 5 January 2018 onwards should be protected. All Google branded devices will receive this update automatically and any other hardware provider or operator should follow suit soon afterwards.
To check your latest version follow this Google article: https://support.google.com/pixelphone/answer/4457705
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: meltdown, spectre, chromebook, protect chromebook, vulnerability