Meltdown and Spectre: Are You At Risk?
Articles by: Richey May, Jan 04, 2018
On January 3, 2018, Google security researchers announced that they had discovered a number of cybersecurity vulnerabilities that impact machines using Intel and other hardware vendor devices, such as mobile devices running iOS and Android. Prior to this announcement, Google worked with a number of other major technology providers to enable them time to develop a fix for the issue. While there are no known attacks currently in the wild, now that this issue has been made public, it is critical that patches are applied quickly. These vulnerabilities can lead to the information disclosure of protected information as it is processed by a computer and can also be exploited remotely. As such, an attacker potentially could access or impact your system without having direct physical access to any device.
These vulnerabilities have been given the names Meltdown and Spectre and impact most systems running Linux, Microsoft Windows and Apple Mac OSX. These vulnerabilities also impact shared resource platforms such as cloud hosting services provided by Microsoft Office 365 and Azure, Google G-Suite, and Amazon AWS.
WHAT SHOULD I BE DOING TO PROTECT MY ORGANIZATION?
Take an inventory of the computing systems you own and operate, and ensure that emergency patches from Microsoft, Linux and Apple are being applied. (You must be running MacOS X 10.13.2 or iOS 11.2).
|OPERATING SYSTEM VERSION||UPDATE KB|
|Windows Server, version 1709 (Server Core Installation)||4056892|
|Windows Server 2016||4056890|
|Windows Server 2012 R2||4056898|
|Windows Server 2012||Not available|
|Windows Server 2008 R2||4056897|
|Windows Server 2008||Not available|
|Windows 10 (RTM, 1511, 1607, 1703, 1709), Windows 8.1, Windows 7 SP1||ADV180002 (Multiple KBs, it’s complicated)|
MY COMPANY INSTALLED THE EMERGENCY MICROSOFT PATCHES ALREADY, ARE WE GOOD TO GO?
The answer is maybe. It has been found that a number of anti-virus products can negatively impact the software patches released by Microsoft, leaving the computer vulnerable. Security researcher Kevin Beaumont (@GossiTheDog on Twitter) is maintaining an on-going list of compatible and incompatible products.
MY COMPANY IS USING VERSIONS OF SOFTWARE NOT LISTED, ARE WE THEN OK?
Unfortunately, the short answer is no. As it is believed this impacts Intel products produced since 2005, you may still be vulnerable if you are running a version of Microsoft Windows that is older than Windows 2008 / Windows 7. Additionally, depending on the age of your equipment, support may no longer be available and therefore no patch will be released.
I’VE HEARD THAT THIS CAN IMPACT PERFORMANCE OF MY COMPUTER BY 5-30%. IS THIS TRUE?
Yes, this is correct. Due to the way modern computers process and handle data, software updates designed to resolve Meltdown and Spectre vulnerabilities can impact performance. The good news is that the newer the system, the less likely you will notice an impact. However, on systems with CPUs that are heavily utilized or that are older, the impact to performance will likely be more noticeable.
I’M IN THE CLOUD, ISN’T THIS MY PROVIDER’S RESPONSIBILITY?
A common misconception is that outsourcing or going to the cloud removes all cybersecurity responsibility of the customer. The truth is there is a continued shared responsibility when you move to the cloud or utilize any outsourced technology service. We recommend monitoring your specific provider to understand how they are handling the Spectre and Meltdown issues. The good news is that many of the major providers were notified of the issue prior to the public announcement, giving them time to patch and remediate the issue.
G-Suite / Google for business: Business systems, including email, messaging, calendaring, and file storage, all of which are powered by Google for Business, should already be protected. Google has publicly confirmed that this is and has been the case.
Amazon Web Services (AWS): As of January 3rd, AWS announced that the majority of their fleet was protected, with the remaining systems to be completed within “hours.” They further stated, “However, in order to be fully protected against these issues, customers must also patch their instance operating systems. Updates for Amazon Linux have been made available, and instructions for updating existing instances are available from AWS.”
Microsoft Azure: As of January 3rd, Microsoft also announced that they would be applying patches to their hosting environment. However as of January 4th, there have been several comments and stories online showing that some customers are still experiencing downtime and outages due to the patching of Meltdown and Spectre. If you are having issues, we recommend contacting Microsoft support directly to identify if you are impacted by this software release or another issue.
WHERE DO WE GO FROM HERE?
Regardless of the platform or environment, cybersecurity issues will continue to impact businesses. We recommend a holistic cybersecurity strategy that includes, but is not limited to, monitoring trends and education, ensure you’re using modern systems and patching them when fixes are made available from the vendor, and good backups and tested data recovery procedures. As the story continues to unfold, we will continue to monitor the situation, and as always, if you have any questions comments or concerns contact JT Gaietto directly.