Meltdown and Spectre: Apply software updates

This week, a set of vulnerabilities were disclosed that document fundamental flaws in most modern computer processors. Meltdown and Spectre flaws rely on an attacker being able to run arbitrary code on your computer, however, this can be trivial, as researchers were able to exploit these vulnerabilities with JavaScript in a web browser. Almost everyone uses web browsers, and the ubiquity of brokered web advertisements and content means that almost all web browsing activity involves executing untrusted, arbitrary programs. Virtualized multi-tenant systems such as virtual private servers (VPS) and cloud services are where things get even more interesting. Even instances of VMWare, Hyper-V, Xen and others hosted in your own data center may present significant attack surface under the right conditions.

What’s actually at risk? Both vulnerabilities can potentially expose fragments of a computer’s RAM contents, which may be sensitive, and, in some situations, may cross virtualization boundaries. For example, this vulnerability might enable an attacker to read parts of memory allocated to your VPS from a different VPS belonging to someone else, or allow an un-privileged program access to sensitive information held in memory, such as encryption keys or banking information.

All major cloud services (Amazon Web Services, Google Cloud and Microsoft Azure) have patched their systems, and patches are available for Windows 10, macOS High Sierra and many Linux distributions already. Additionally, patches have been made available for most modern web browsers and many virtualization platforms. Vendors will likely continue to deploy mitigations to these vulnerabilities over the coming days and weeks. There have been some reports of Windows patches and endpoint protection software incompatibilities, so, as usual, test the patches before you deploy them to the whole enterprise.

The full and proper fix will likely involve firmware updates or new processors. For many consumers, this might mean buying a new computer later on. It’s important to realize that the patches being issued in the near term are mostly “band-aid” solutions that are designed to minimize the probability that these bugs are exploited. Patching is the only thing end-users and IT teams can do about this bug right now. Timely application of software updates is a good policy for everyone, so now is a good time to reiterate this. Below is a quick security awareness training video from RiskTool with information about software updates and patching. Most training videos are accompanied by a quick reference guide, such as this one, related to the training content embedded here.

RiskTool is our powerful learning management system (LMS), which enables easy implementation of policy and training, to transform employees from a source of risk into a force for security. Learn more about RiskTool here.

Is IntelliShun vulnerable to Meltdown or SPECTRE?

No. IntelliShun uses a MIPS64 processor, which is not known to be vulnerable to these attacks.

Is ThreatSweep vulnerable to Meltdown or SPECTRE?

No. These vulnerabilities rely on an attacker being able to execute arbitrary code in userspace, targeting workstations and multi-tenancy servers. This embedded platform only executes programs we have installed. Note: This statement also applies to the IntelliShun10G platform, which is based on similar software and hardware as the ThreatSweep.

Posted in Blog.