A report of two new vulnerabilities named Meltdown and Spectre was published last Wednesday, January 3, 2018. It is a big deal because they are hardware vulnerabilities affecting pretty much everything with a silicon chip. Yes, this means microprocessors on workstations and servers, mobile phones, tablets, cloud services, and other platforms.
Currently, mitigation and recommended processes are in flux. New information, articles, and white papers have emerged daily over the last week. As you research these concerns, be sure you are referencing reputable sources and the information is up-to-date.
For now, the tricky part is that some of the early updates aimed at mitigating the vulnerabilities have yielded incompatibilities which might leave systems inoperable. (The fix might break things.) Please be cautious. Verify and test updates before installation.
The Vulnerabilities
If exploited, both vulnerabilities, which are classified as speculative execution vulnerabilities, allow unauthorized access to protected areas of memory which could allow an attacker to collect sensitive information such as passwords and nonpublic customer information.
- Meltdown - allows unauthorized access to memory, including protected kernel memory. Affects almost all Intel processors manufactured since 1995 and some ARM processors.
- Spectre - allows unauthorized access to memory used by other computer processes. Affects almost all processors. It has been verified on Intel, AMD, and ARM processors.
Mitigation
As the IT industry moves to mitigate these vulnerabilities, incompatibilities which can render systems unusable have occurred. It is of utmost importance to verify and test updates before installation. Prudently pursue and ensure the following security processes are working effectively within your organization (these are already standard elements of strong security cultures):
- Installation of security software updates - antivirus software, endpoint security software, etc.
- Installation of operating system (OS) updates - Microsoft Windows, Linux, Mac OS, iPhone, Android, etc.
- Installation of web browser updates - Microsoft Edge/Internet Explorer, Google Chrome, Mozilla Firefox, etc.
- Installation of firmware updates for microprocessors - BIOS updates issued by computer system manufactures - Dell, Lenovo, HP, Apple, etc.
- Prevention of malicious code execution - website blocking, website ad-blocking, phishing detection, security awareness training for users (how to spot malicious emails, not to click on links in emails), etc.
Exploits of these vulnerabilities are likely to change over time and the controls issued by hardware and software manufactures are likely to change as well. Therefore, it will be important to ensure updates are installed regularly.
Additional information provided by the researchers who discovered both vulnerabilities can be found at https://meltdownattack.com/.