Vulnerability Alert: Meltdown and Spectre

 

Meltdown and SpectreYou may have seen or heard in the news recently about Meltdown and Spectre, two new security exploits. These new attacks based on flaws in the way that the computer CPU or Central Processing Units – the main processing “chip”, execute code inside of today’s computers.

These new “hacks” are of significant concern to the industry and still a developing situation. Almost all computers in use in an office or home today use CPUs from either Intel or AMD. Intel processors are known to be vulnerable. AMD claims that their processors are not vulnerable, but this has not been verified. Mac computers since since about 2006 use Intel CPUs and are therefore subject to these flaws. The CPU used in iPhones and older Mac’s are “ARM processors” and are also affected.

The exploits were discovered and published by Google’s Project Zero, Google’s internal team of analysts who are tasked with finding previously unknown vulnerabilities. No one knows if these exploits have ever been discovered by others, and there are no confirmed reports of these vulnerabilities actually being used in “real life”. Exploiting these vulnerabilities uses methods to execute malicious code on a targeted machine, typically through a rogue application such as a website containing malicious java script code.

Vendors such as Microsoft and browser developers such as Google and Firefox are releasing patches to address the process of utilizing the attacks through software based patches for your operating systems and web browsers, but the full repair for the CPU problem will take longer and require much more sophisticated repairs. Two other things to note. First, some of the released fixes will adversely affect system performance. Second, the fixes can only be applied to the latest system versions, so if your system is not fully up to date for some reason (eg application compatibility or older server) then you will need to be brought fully up to date prior to applying any patch.

VPSG is monitoring the situation and we will push out patches for specific software as it becomes available.  When more info becomes available on the CPU fixes, we will let you know what will be required. We will keep you informed of new developments as they occur.

If you have any questions, please reach out for more information.