Advisory from the ECPI Center of Excellence

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown is a vulnerability that could be used against Intel chips, and software makers are pushing out patches and updates meant to address the vulnerability. Spectre is a problem for all computer processing units, according to the researchers who discovered it, and it may not be possible to fix.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.

Meltdown and Spectre Explained: Vendor Updates

MAC OS has partially addressed CVE-2017-5754 in 10.13.2 and may release additional support in 10.13.3.

Linux distros have been releasing items to address Speculative Execution, however which CVE addressed is dependent on the distribution. RedHat for example has released updates for some Red Hat Enterprise Linux 7 packages but not others.

Microsoft has released update (KB4056892) to address this. According to The Verge, Windows 10 users will be automatically updated with the patch through Windows Update. While the patch will be available from Microsoft for Windows 7 and 8 users, they will have to wait until Patch Tuesday to receive it automatically via Windows Update. In a statement to The Verge, Microsoft also confirmed that it is deploying fixes to its cloud services.

From Microsoft: We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.

Statements from Companies Impacted by the Malware

Amazon has released a statement on this matter stating:

Microsoft and Amazon have announced scheduled downtime of their cloud services in the coming days.

Google stated in a blog post that “as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data.”

Intel has stated:

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.