Meltdown & Spectre Alert
Monday, January 8, 2018
By now, you have probably heard about the Meltdown and Spectre vulnerabilities that are present on devices worldwide. We wanted to share a bit more information with you to keep you in the know.
WHAT ARE THEY?
Spectre is a vulnerability that have been identified for Intel, AMD, and ARM processors, and Meltdown has been identified for Intel only as of January 5th 2018. These vulnerabilities could allow a hacker to access protected information on your device by exploiting CPU vulnerabilities.
WHO IS AFFECTED?
All major operating systems including Windows, Mac, and iOS devices are affected by this major flaw.
HOW DO I PROTECT MYSELF?
It's important that you update all of your devices with the latest patches available:
To protect against Meltdown, if patches are available from your manufacturer of the device, download, to your test environment for testing and promote to production as soon as possible after testing.
To protect against Spectre, it's important that you take extra precaution to clear session data or log out of sessions after use and enable site isolation in Chrome.
White paper released for general awareness:
MELTDOWN AND SPECTRE VULNERABILITIES Two vulnerabilities have been announced for Intel, AMD, and ARM processors: Meltdown and Spectre. Neither of these exploits has been seen in the wild as of yet. While the only known examples for Meltdown have been Intel based processors, AMD and ARM processors could still be vulnerable. All processors are vulnerable to Spectre. A patch for Meltdown has been released by Windows and Linux. The patch mitigates the threat by reducing the number of bits available to the CPU from 64 to 40. This means there will be speed reductions for applications that utilize 64 bits. This also means that a patch for x86 architectures is still in the works. The reduction of available bits might impact the functionality of your anti-virus.
As far as cloud computing is concerned, all major cloud hosting providers including, online Tech, AWS and Azure were informed of the vulnerability prior to public disclosure and have patched in advance.
As of January 5, 2018, there is no patch for Spectre, but there are some ways you can mitigate the threat.
• Clear session data or log out of sessions after use
• Enable site isolation in Chrome
General Recommendation: For any public-facing server vulnerable to Spectre or any public-facing server not patched for Meltdown, consider limiting inbound connections to explicitly whitelisted IPs if possible, or consider segmenting those systems.