Meltdown and Spectre
Two new critical security flaws were disclosed late last week related to Intel processors and also some other processor platforms including AMD and ARM, which can be found in servers, computers, cell phones, internet connected devices, etc. This applies to all operating systems including Windows, Linux, MacOS, IOS, Droid, etc.
The details of these flaws has been shrouded in secrecy. Understanding the full impact of both their risks and proposed software fixes has been difficult to assess. At this point we know a lot more but we still have a lot to learn. The full impact of the related software patches will only be understood as they are rolled out and reporting continues.
What are the details of the security flaws, what does this mean from a risk standpoint?
The two flaws are being commonly referred to as Meltdown and Spectre. They are both flaws in the design of the processor hardware, not software, and affects how the processors handle unique processes and prevent those processes from accessing each other. In other words, these two flaws allow programs on computers, devices and Cloud services to access information from other processes without authorization.
Based on my readings, official awareness of these flaws dates as far back as June 2017. The software fixes currently being provided by Linux, MacOS and Windows, are on the kernel level and are very sophisticated. These types of changes require a lot of development time and testing. The fact that they’re rolling them out now means they’ve had a lot of time to work on them.
These design flaws have been present in chips manufactured for the past 10 or more years.
What’s being done about it and what action do I need to take?
Software updates have been developed both on the OS level (Windows, Linux, MacOS, etc.) and by web browser manufacturers (Chrome, IE, Edge, Firefox, Opera, etc.) to mitigate the risks of these hardware flaws. It is important to install these patches but at this time I’m recommending taking a slow and measured approach. There are some known software compatibility issues as well as significant machine performance degradation associated with the patches.
The following is a prudent approach
- For desktop computers, delay installing them for a short period of time, 1-4 weeks due to the complexity and low level of the software changes in the OS patches. There are known software incompatibilities with many Antivirus packages and there may be other software impacted by these changes that have not yet been discovered.
- Mac OS High Sierra has been patched as of 10.13.2
- Microsoft will be rolling out updates this week on Patch Tuesday
- Many Linux distributions have started releasing updates.
- Update web browsers ASAP including Chrome, IE, Edge, Opera and Firefox. The recent browser updates have protections to help prevent compromised or malicious websites from leveraging the processor vulnerabilities.
- Check with your Antivirus software MFG for updates and confirmation their product is compatible with the latest updates from Microsoft and Linux.
- Update mobile phones and tablets as soon as patches become available.
- For Servers, delay installing them for one or two patch cycles to ensure compatibility issues are addressed and performance considerations are properly planned for.
- If you run any applications or systems in AWS, Microsoft Azure and Google Compute Engine be aware of the following:
- Amazon AWS has been in the process of deploying software patches and fixes started last Friday which may impact availability and performance of your instances
- Microsoft Azure will be performing updates and patches on January 10th which may impact availability and performance of your instances
- Google Compute Engine appears to have already undergone needed updates but is requesting clients restart certain processes
- Newer versions of the Intel processors will be updated with a microcode update, which will help mitigate the issue.
At this point the vulnerabilities have been around for over 10 years. We know the vulnerability was officially known as far back as June 2017. I think it would be naive to assume some state actors and/or organized crime was unaware of this issue either since last summer or perhaps well in advance of that. We should assume users have already been exposed to this risk and that mitigating it should be done cautiously so as to minimize interruption to productivity. There is no sense in running around with our heads cut of in panic. We should take care of the systems at greatest risk first, browsers and workstations, and cautiously work to address the rest until the next big revelation.