Advisory: Processor Vulnerability Affecting Virtually All Systems

Last year Google researchers at Google’s Project Zero security research center found what is being called the worst hardware flaws yet. While details of the flaws were kept top secret for the security of everyone, bits of information were leaked.

On January 3rd information about the flaws was made public, but there is still much information to come, and much of the flaws details are still being kept under cover.

The pair of security flaws have now been named “Spectre” and “Meltdown”. These flaws are built into the microprocessor found in virtually every system made since 1995. The flaw affects all processors developed by Intel, AMD and ARM.

From what we know now and are being told by Google, Intel and Microsoft, the flaws are the following:

Problem #1 – The performance impact

The Spectre and Meltdown vulnerabilities exploit a flaw in the processors “Speculative Execution” feature. “Speculative Execution” is a technique that processor manufacturers introduced to increase processor performance. By removing this functionality Intel is suggesting there may be a performance decrease of up to 30%. Intel notes that newer processors based on their Skylake or newer architecture will not be affected by the performance impact. Unfortunately, older, slower systems will be the ones that will be affected. The huge performance loss may make some older systems virtually unusable.

Problem #2 – The hardware patches aren’t ready yet

Intel is releasing firmware updates to OEMs but at the moment, not to the general public. This means that the manufacturers of your systems will need to release a system-specific patch for the processor/chipset of each system. “White Box” systems and systems not manufactured by the larger OEMs may not ever get the updates.

Problem #3- Patching the Operating System is the first step, but it’s not perfect.

The only solution to protect your systems immediately is to patch them at the Operating System level, and use the Operating System to prevent applications from exploiting the vulnerability.
Microsoft has released a patch for Windows 10 PCs that will be installed soon, if not already. Microsoft says patches for Windows 7 and Windows 8 will be released in the next week. Microsoft drew the line that they’re not mentioning if they will release a patch for older operating systems like Windows XP, Vista, Server 2003 and Server 2008.

Apple has already released updates to mitigate against some of the potential risks of Meltdown – IOS (11.2), MacOS (10.13.2), and tvOS (11.2). They are hoping to have patches released shortly to help defend their devices against Spectre. Apple has been careful to note that these solutions do not provide complete protection. Apple also has not yet announced their plan to release updates for older Apple devices that do not support the latest builds of their Operating Systems.

Problem #4 – Spectre can be exploited through code on web-pages, and browsers aren’t patched yet

To make matters worse, browsers are hard to keep updated/consistent, and many businesses rely on older browser versions for legacy application compatibility. To be protected from Spectre all browsers will have to be updated as soon as patches are released.

Problem #5 – It affects EVERYTHING

In addition to virtually all PCs, Macs, Servers, Smartphones and Tablets, it also affects the back-office equipment (storage systems, network equipment etc.). While the risk of an attack on these devices is lesser because they aren’t accessible, the impact could be greater if it did happen. Each device will have to be updated as firmware is released.

The impact on you

This is a landmark vulnerability and it comes at a time when Cyber Crime is experiencing explosive growth. Making sure your systems are patched with the latest software and firmware updates is going to be necessary to ensuring your business is safe from emerging threats.

As part of happier IT, we include patch management software that distributes patches to all the systems we support (these are systems that our agents are installed on). These tools make sure that Microsoft Windows as well as the most commonly used applications (including browsers like Chrome, Firefox and Safari) are updated when updates become available. In addition, we will be staying up-to-date on each vendor’s progress with regards to firmware updates and schedule the appropriate maintenance on eligible as required.

You will need to make sure that any systems that are not managed by happier IT, including your personal systems, are updated to protect yourself and your business. If a personal computer is not patched and becomes compromised, any passwords or data entered into that PC could be recorded by attackers. Those passwords could then be used to access your business network, your bank accounts or one of any number of other services you use.

Related Posts