Two major security flaws have been uncovered in both Intel and ARM-based processors and have been named ‘Meltdown’ and ‘Spectre’. Affecting a significant portion of the world’s computer processors these security flaws render computer processors vulnerable to hackers.
While they might sound like James Bond films, however, they are in fact severe security flaws.
The short ‘Too Long Did not Read’ (TLDR) is that these two flaws could make it easier for something like a malicious program to steal data that is stored in the memory of other running programs. This data could contain passwords, personal and financial data.
National Vulnerability Database (NVD) – Meltdown CVE-2017-5754
Meltdown, discovered by researchers from Google’s Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, affects Intel, ARM, and other processors. Meltdown could, for example, leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.
National Vulnerability Database (NVD) – Meltdown CVE-2017-5753
Spectre, which affects Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be tricked into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.
No Known Exploits – Yet!
It should be said that researchers have uncovered the existence of the flaws, and while the potential for exploitation is there, there have been no known exploits to date. In the light of the wide publicity that the existence of the flaws has received, this could change.
What is Being Done?
Intel has announced that it is working with AMD, ARM, other technology companies and some operating system vendors to find a fix. Intel and ARM are also planning to release patches for the flaws in upcoming software updates from them and operating system makers.
Google has said that the flaw did not exist in many of its products, and it has mitigated the issue in those products where it was present. Google has also said that an upcoming browser update (Chrome 64) will offer further protection when it is rolled out on 23 January.
Microsoft has released an emergency patch for all Windows 10 devices with other updates for other Windows versions scheduled for release within days.
Amazon is reported to have said that its whole EC2 fleet is now protected.
Apple has issued a partial fix in macOS 10.13.2 and will continue to fix the issue in 10.3.3.
What Does This Mean For Your Business?
It is highly likely that your devices are affected by these flaws because they are hardware flaws at an architectural level, more or less across the board for all devices that use processors.
Although closing hardware flaws using software patches is a big job for manufacturers and software companies, it is the only quick answer to such a large-scale problem. Some patches may come in the form of a Firmware upgrade which may require planning before applying – typically a firmware update is intrusive and requires a reboot.
Regular patching is a good baseline security habit. Research from summer 2017 (Fortinet Global Threat Landscape Report) showed that 9 out of 10 impacted businesses get hacked through unpatched vulnerabilities and that many of these vulnerabilities are 3 or more years old with already patches available to address these vulnerabilities.
It is worth refreshing your employees on the following guidelines:
• Never download unknown or unapproved software from the internet. If in doubt, check with our helpdesk.
• Never open unsolicited attachments in emails, even if it is from a known email address.
• Always pay attention when operating systems such as Windows prompt to restart to apply updates – some patches and fixes will have no effect until the system is rebooted.
As with all patching, it is important to keep your software up-to-date too (not just your Operating System) including your security products such as anti-malware and anti-virus.
Related article: Spot 13 Security Flaws in this photo