Azure vm does not require to patch against meltdown and spectrum?

Question

I'm confused about why Microsoft says into his official blog about the meltdown and spectre vulnerability that the customer does not need to patch the customer VM images in Azure.

https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

This Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to your Windows or Linux VM images. However, as always, you should continue to apply security best practices for your VM images.

Other cloud vendors recommended such as GCP and AWS recommende their customers to patch their systems as well.

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

While all customer instances are protected, we recommend that customers patch their instance operating systems.

https://support.google.com/faqs/answer/7622138

Read our Security Bulletins page for more information on OS provider patch status, patched image versions, and instructions for patching/updating your guest environments.

I'd like to understand what could be the reasoning behind this

Thanks!

Answer 1

@snebel29 The Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to your Windows or Linux VM images. However, as always, you should continue to apply security best practices for your VM images.

More information can be found on the official blog here: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines

I hope this answers your question.