Security Update: Meltdown and Spectre Vulnerability Advisory
To kick off the New Year of 2018, it was announced that Google researchers had discovered that most of the processors running on computers and smartphones are open to a new class of security vulnerability that makes them susceptible to attack.
Understandably this news has been seized upon by the media as yet another security flaw to deal with for today’s device, network and internet-dependent businesses.
The key problem with the Meltdown and Spectre vulnerabilities is that due to the very way processors operate, the worst case scenario could lead to attackers gaining information about systems including passwords and other private information.
The good news is that the newly discovered vulnerabilities will not cause computers to stop working (as with Ransomware), nor do they provide instant access for malicious hackers to gain access to them.
Any malicious attacker seeking to exploit these Meltdown and Spectre processor vulnerabilities would need to find another way to enter the local system in order to exploit the flaws.
However the discovery does highlight that software is not alone in being vulnerable to security flaws and potential exploitation.
What is the latest situation?
Major cloud providers including Microsoft, Amazon and Google have now developed patches which have been applied to servers and applications.
If your business uses any other cloud-based solution, you should look out for instructions from the respective cloud provider concerning the application of patches.
In some instances, communications may be informative only because patches will be applied centrally by the cloud provider. In other cases, some cloud service providers may issue guidelines which, while requiring the patching of operating systems on individual machines, may extend to virtualised solutions, where each instance of an operating system may need to be patched.
At the time of writing, many vendors of both software and hardware technologies have indicated that they have issued – or will issue – patches to address the known vulnerabilities, in which best practice is to apply those patches at the earliest opportunity.
For organisations with good patch management processes, this means that the patching requirement can be factored into normal IT operations, however, it is advisable to be extra vigilant for network and system events that may be out of the ordinary.
Alliance Solutions Advice
Our advice is to continue with your regular patching routines, whilst being extra vigilant for additional threat alarms.
As mentioned above, other vector mechanisms will provide access for those intent on exploiting the Meltdown and Spectre vulnerabilities. So be on the look out for any abnormal network and system activity which might indicate that an attack is underway.
All supported versions of Microsoft Windows will receive an emergency patch to fix flaws in Intel CPU chips. The company reports that: “Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and in some cases updates to AV software as well.”
Small businesses are advised to wait for operating system patches to become available and then follow their normal updates procedure.
In addition to applying the operating systems updates, businesses are also advised to look into firmware updates.
Further consideration
There have been reports that patching of some types of operating systems in response to Meltdown and Spectre could see cloud performance degraded, with some systems suffering as much as 30% performance loss.
However this type of performance degradation is likely to be confined to older systems. The degree of performance loss will also depend largely on the applications involved.