INFORMATION SECURITY ALERT: RISK MEDIUM - Spectre and MeltdownBy: Jeff Gardiner
Two new serious vulnerabilities have been discovered which have wide ranging effect. These vulnerabilities are called Spectre and Meltdown. The media has been sensationalizing some of the coverage around these vulnerabilities. These vulnerabilities may expose many systems. Still, and to be clear these vulnerabilities are quite serious but the sky is not falling .. at least not yet (meaning the risk is still pretty hard to realize).
HOW IT EFFECTS US
Because these vulnerabilities attack processor level actions they potentially effect nearly all modern processors; including those used on computers, smartphones, tablets, all operating systems – windows, linux, OSX (or macOS), tvOS, android etc. This means that the Western community and indeed all of us may be effected personally.
Even so exploiting these vulnerabilities successfully (according to Google) is pretty difficult and requires (in most cases) physical access to the device.
PROBEM SIMPLY EXPLAINED
Meltdown is the vulnerability so named because it apparently 'melts' security boundaries normally enforced by hardware itself (enforced in memory or process addressing).
Spectre is so named because it breaks the isolation between different applications tricking even patched programs into leaking their secrets. In this respect Spectre is similar to Heartbleed. The concerning thing about Spectre is that it does affect your mobile device as well as your desktop (or server)
The risk presented by Meltdown can be mitigated through software patches, as can certain variants of Spectre. A number of vendors such as Apple, Google, Intel, and Microsoft were already aware of the problem and have been working on producing patches.
Microsoft, 3 Jan 18 released an update for devices running Windows 10. Google has a blog post about how they have mitigated these threats here:
Android devices with the most recent security patches are protected.
Apple has not yet produced all their patches but made it clear they are working on the solution:
Apple patches are available for:
tvOS 11.2; and
Spectre-focused patches for Safari are expected soon.
REMEDIATION - STEPS TO TAKE
Meltdown and Spectre are real threats. Things are still early. The threat becomes real if WE DO NOTHING. So:
If you're using Windows:
Download and install Secunia PSI and update or patch everything it tells you to:
If you're using Android, update:
If you're using iPhone or iPad, update iOS as much as you can and apply patches:
If you're using MacOS, update and patch:
For everything else a helpful list of patches and where to obtain them can be found here:
WHO TO CONTACT
Published on and maintained in Cascade CMS.