How to address the Meltdown and Spectre vulnerabilities
New year, new security vulnerabilities.
By now you’ve likely heard about the Meltdown and Spectre vulnerabilities, which could affect every CPU manufactured since 1995. In short, all of your devices are potentially at risk.
Here’s what you need to know and steps you can take to minimize the threat.
Meltdown and Spectre explained
Three hardware bugs — Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715) — exploit a hardware flaw that could allow programs to steal sensitive data like passwords by accessing information stored in the memory of other running programs.
Meltdown affects virtually every Intel processor made for years and some ARM-based processors as well. Spectre could affect every chip on the market, meaning everything from your servers to your laptop to your smartphone is at risk.
Although additional information is still being released from hardware OEMs and cyber security companies, SHI’s own security experts wanted to share what we’ve learned and what you can do to mitigate risks to your organization.
Many patches are available for Meltdown, but so far there’s no software patch available for Spectre. This is a hardware flaw, so patches will only stop the ability to exploit. The vulnerability will exist until the affected hardware is replaced.
What you should be doing right now
- Keep your software and firmware current, utilizing available patches.
- Run compatible anti-virus to effectively utilize patches. Here’s a list of anti-virus programs that you can reference to check that your vendor is compatible.
- Understand the effects of possible exposure, specifically where critical systems and data are located.
- Ensure visibility and oversight: What is happening to — and running on — those critical systems?
- Deploy technical, administrative, and physical controls to protect systems and data commensurate with their value.
Tools to help mitigate the risks
To patch Meltdown, Microsoft has been working closely with anti-virus software partners to ensure all customers receive the January Windows security updates as soon as possible. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible.
If you haven’t been offered the security update, you may be running incompatible anti-virus software and you should follow up with your security software vendor.
Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.
For more information, please visit the links below.
- The Register: ‘Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign
- Project Zero: Meltdown and Spectre exploits
- FAQs and vendor responses: https://spectreattack.com/
Patch management is an area where we can help your organization mitigate and reduce potential vulnerabilities. Our team of security experts are monitoring the impacts of these latest attacks and can offer you best practices as they emerge.
And if you’ve got Meltdown and Spectre covered but think this might be a good time to have SHI conduct a Security Posture Review of your organization in general, please let us know.