Meltdown and Spectre on Windows CE / Embedded Compact
Meltdown and Spectre have hit the world by storm and of course the Windows CE / Embedded Compact OS is also affected by these processor bugs.
See this ARM bulletin: https://developer.arm.com/support/security-update
And this PDF: https://developer.arm.com/support/security-update/download-the-whitepaper
At GuruCE we of course want to release patches to prevent malicious attacks through these attack vectors, but unfortunately the required code changes are all in places we do not have source code for or that we can't compile:
Variant 1 (Spectre) needs an update of the ARM compiler in CE/EC: https://developer.arm.com/support/security-update/compiler-support-for-mitigations
Variant 2 (Spectre) needs updates to the COREOS code (scheduler / vm code)
Variant 3 (Meltdown) does not apply to the Cortex-A9 (so does not apply to our iMX6 BSP)
We have therefore asked Microsoft for their plans on releasing patches for Windows CE/EC, and today (January 16, 2018) we received an answer:
- "Since the desktop fixes were just released we are just beginning our investigation of the backports for CE7 and Compact 2013. Since CE6 and Handheld were based on XP it is unlikely that we will see a fix unless there is a fix released for XP desktop client."
Please note the above comment is not an "official Microsoft" statement. The comment was received by us in an email from a Microsoft support manager.
So, that is at least some good news. There are still a lot of devices around that run Windows CE 6.0, so in that respect not fixing that OS version is bad, but at least both WEC7 and WEC2013 are now being investigated to see what it takes to be patched by Microsoft.
No timeline yet, but we will keep pushing MS and keep you updated on progress.
The official information pages from Microsoft are here:
There is no official info about Windows CE/EC on those pages yet, but hopefully CE/EC info will be added soon to the official pages, together with a timeline of when to expect the patches for CE/EC.