Spectre and Meltdown Security Vulnerability Updates
What are Spectre and Meltdown?
Spectre and Meltdown are vulnerabilities that can be exploited as speculative execution side-channel attacks executed by malware. There are no known active exploits of either Spectre or Meltdown.
- Spectre steals data from the memory of other applications running on a machine. It affects almost all modern processors - including those from AMD, ARM, and Intel.
- Meltdown enables reading protected memory. It can be easily fixed by OS updates and seems to be limited to Intel chips.
What products are impacted?
Please check our additional information page for impacted products and a schedule of patch releases.
The page will continue to be updated as patch release dates are established.
What does Zebra recommend I do?
Zebra encourages customers to develop and maintain a regular software maintenance program. Zebra is actively working with operating system and processor vendors to provide remediation in a timely manner.
Zebra devices capable of running application code should be locked down to prevent loading of a malicious application that could attempt to exploit the vulnerabilities. Impacts from malicious code utilizing either Spectre or Meltdown can be mitigated by only loading application code from trusted sources. There are no reports of any successful reproduction of these vulnerabilities leading to a security issue on ARM or Intel based Android devices.
- Android based products with a 2018-01-05 security patch level will be updated for the remaining mitigations of CVE-2017-13218 as required for compliance to the 2018-03-05 security patch level. Zebra mobile computing devices may be protected through a locked down configuration or by using Enterprise Home Screen to limit what applications can be launched. Zebra Android device update schedule.
- Microsoft-based products under Microsoft support will be updated by Microsoft. Windows CE and Windows Mobile operating systems are under investigation. See Microsoft's Spectre/Meltdown page for further information.
- Printer products potentially affected by the Spectre vulnerability are limited to the ZT510, ZT610 and ZT620. All other printer products currently deployed use a processor core that is not affected by Spectre. While the ZT510, ZT610 and ZT620 are potentially affected by Spectre, they are not directly impacted since the printer can only execute Zebra authored code. Zebra printers are not susceptible to Meltdown.
- Zebra OneCare Premier (Managed Service) customer devices eligible for upgrades can be scheduled as part of the customers contracted release management entitlement. Zebra-provided services employing cloud infrastructure are being updated as patches become available.
Vulnerability Release Date
Variant 1 – CVE-2017-5753, Spectre: Bounds check bypass
Variant 2 – CVE-2017-5715, Spectre: Branch target injection
Variant 3 – CVE-2017-5754, Meltdown: Rogue data cache load, memory access permission check performed after kernel memory read
CVE-2017-13218 is a general case mitigation for side-channel attacks that also addresses this issue.
Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.
Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.
Are you aware of a potential security issue with a Zebra Technologies product?