INFORMATION SECURITY ALERT: RISK MEDIUM - Spectre and Meltdown

By: Jeff Gardiner

January 5, 2018

SUMMARY
Two new serious vulnerabilities have been discovered which have wide ranging effect.   These vulnerabilities are called Spectre and Meltdown.  The media has been sensationalizing some of the coverage around these vulnerabilities. These vulnerabilities may expose many systems.  Still, and to be clear these vulnerabilities are quite serious but the sky is not falling .. at least not yet (meaning the risk is still pretty hard to realize). 

HOW IT EFFECTS US

Because these vulnerabilities attack processor level actions they potentially effect nearly all modern processors; including those used on computers, smartphones, tablets, all operating systems – windows, linux, OSX (or macOS), tvOS, android etc.  This means that the Western community and indeed all of us may be effected personally.

Even so exploiting these vulnerabilities successfully (according to Google) is pretty difficult and requires (in most cases) physical access to the device.

PROBEM SIMPLY EXPLAINED

Meltdown is the vulnerability so named because it apparently 'melts' security boundaries normally enforced by hardware itself (enforced in memory or process addressing).

Spectre is so named because it breaks the isolation between different applications tricking even patched programs into leaking their secrets.  In this respect Spectre is similar to Heartbleed.  The concerning thing about Spectre is that it does affect your mobile device as well as your desktop (or server)

The risk presented by Meltdown can be mitigated through software patches, as can certain variants of Spectre.  A number of vendors such as Apple, Google, Intel, and Microsoft were already aware of the problem and have been working on producing patches.

Microsoft, 3 Jan 18 released an update for devices running Windows 10.  Google has a blog post about how they have mitigated these threats here:

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

Android devices with the most recent security patches are protected.

Apple has not yet produced all their patches but made it clear they are working on the solution:

http://mashable.com/2018/01/04/apple-statement-on-meltdown-spectre-cpu-bugs/

Apple patches are available for:

iOS 11.2;

MacOS 10.13.2;

tvOS 11.2; and

Spectre-focused patches for Safari are expected soon.

REMEDIATION - STEPS TO TAKE

Meltdown and Spectre are real threats.  Things are still early.    The threat becomes real if WE DO NOTHING. So:

If you're using Windows:
Download and install Secunia PSI and update or patch everything it tells you to:
https://www.flexera.com/enterprise/products/software-vulnerability-management/personal-software-inspector/

If you're using Android, update:
https://www.wikihow.tech/Check-for-Updates-on-Your-Android-Phone

If you're using iPhone or iPad, update iOS as much as you can and apply patches:
https://support.apple.com/en-ca/HT204204

If you're using MacOS, update and patch:
https://www.apple.com/ca/macos/how-to-upgrade/

For everything else a helpful list of patches and where to obtain them can be found here:
https://www.us-cert.gov/ncas/alerts/TA18-004A

WHO TO CONTACT

Contact your vendor if you have questions about specific hardware.  At Western Contact Western's WTS Helpdesk or your faculties IT support group.  Finally, contact security@uwo.ca (cc helpdesk@uwo.ca).


Published on  and maintained in Cascade CMS.