Early last week a severe design flaw in modern processors started to became public. Initially discovered by Google’s security team around June last year the vulnerabilities named Meltdown and Spectre would allow an attacker to obtain unprivileged access to contents held in memory of a device, which in turn would allow to gain access to sensitive data like passwords or security keys.
Nearly all processors released within the last 10 years are affected, including desktop PCs, notebooks, tablets and phones.
The vulnerability was disclosed to the major tech companies 6 months ago, giving them enough time to prepare and test necessary security updates before the coordinated public disclosure on the 9th of January.
Nearly all modern devices that contain a processor are highly likely to be affected and require software and firmware updates.
So far no exploits or attacks are known to use this specific vulnerabilities. Although due to the nature of the attacks they are difficult to detect and almost certainly will leave no traces in any logfile.
An attacker would require access to a device in order to exploit the vulnerability, however this could be triggered by simply visiting a malicious website with your browser. This makes this type of flaw especially dangerous for cloud or any other shared hosting environments.
How to stay safe
- Get an overview of your devices that are affected
- Make sure to check for and install all security updates (patches) that will be or have been released for all your devices
We have compiled an overview of the major vendors and devices with recommendations to help you stay secure, please see the list below.
Microsoft Windows, Edge and Internet Explorer
Microsoft has already pushed out emergency updates for Windows 10 and will provide additional updates on patch Tuesday tomorrow, this will include Windows 7.1 and Windows 8 as well.
Unfortunately your anti-virus needs to be compatible to receive the security hotfix, thankfully security researcher Kevin Beaumont provides a quick overview of the various anti-virus products. Please make sure you update your anti-virus as well.
And if your device isn’t manufactured by Microsoft, which means if you haven’t got a surface device, you need a firmware update from the hardware manufacturer as well.
Updates have been released for Edge and Internet Explorer as well.
Apple MacOS, IOS and Safari
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against the vulnerabilities.
A fix for Safari will be released in the coming days.
Android and Google Chrome
On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices. The Android 2018-01-05 Security Patch includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017.
Chrome 64 is scheduled for release on January 23 and will include protection from Meltdown and Spectre exploits. Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities. With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process.
Mozilla has rolled out a partial fix with Firefox 57, which was rolled out in November 2017. More mitigations have been released with version 57.0.4, so please update your browser.
Amazon Web Services
As per the AWS security bulletin all instances across the AWS EC2 fleet are protected from all known threat vectors from the vulnerability. Customers’ instances are protected against these threats from other instances. While all customer instances are protected, we recommend that customers patch their instance operating systems. This will strengthen the protections that these operating systems provide to isolate software running within the same instance.
Microsofts Security Blog states that the majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. You can see the status of your VMs and if the reboot completed within the Azure Service Health Planned Maintenance Section in your Azure Portal.
Google Cloud Platform
Google provides a detailed overview of required actions and has updated its infrastructure to protect its customers, but some require customers to take action and update the guest operating systems.
Server Operating Systems
Updates for Windows Server are available, make sure to install the patches and other mitigations described in the knowledge base article. Please be aware that you need firmware updates from the hardware vendor as well.
RedHat has released updates for its product range as well.
Suse has published an overview of the released product updates.
Ubuntu will release updates on the initial coordinated release date of the 9th January, or sooner if possible.
If you need any help in updating your devices or mitigating the risk for your company and staff please don’t hesitate and get in touch.
Get in touch with us and we help you stay secure