Patching Spectre and Meltdown Vulnerabilities

Discovered in 2017, and publicized in 2018, Spectre and Meltdown are two new vulnerabilities in how certain microchips were designed.1, 2

These vulnerabilities place information stored in memory (e.g. passwords, email, web browsing information, documents, etc.) at risk of theft.3

For Spectre to be exploited, a device must have a vulnerable processor. Security researchers have verified Spectre can be exploited “on Intel, AMD, and ARM processors.”4

For Meltdown to be exploited, a device (laptop, desktop, server, smartphone, etc.) must have a vulnerable processor and the Operating System (OS) running on that device must be unpatched. While not all of the details are currently known, security researchers have verified that many Intel processors are vulnerable.5

Because the vulnerabilities lie in the processors, a complete fix which does not incur a degradation in system performance may rely on the processors being redesigned.6, 7, 8 IT administrators should not wait to do something about this. Many companies including Microsoft and Apple are releasing software updates to help patch these vulnerabilities.9, 10

A number of hardware vendors are releasing firmware updates (including but not limited to BIOS updates). Updating firmware (i.e. micro code) is a step necessary to mitigate the risk of Spectre or Meltdown being exploited and a systems best practice in that systems should be updated with the most recent release (production) security updates.11 It is important to note, that using the wrong BIOS or firmware update for your hardware may result in the hardware becoming unusable.12 Additionally, if the device loses power during a BIOS of firmware update your hardware may become unusable.13, 14

Each hardware, OS, and software vendor is responsible for providing their own patch. It has been reported that some updates may slow down device performance.15 Intel has published benchmarks showing the difference in device performance for a “Fully Mitigated System” vs a “Non Mitigated System at 100%” which can be read at https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf.16

Microsoft has released patches, but in order for your computer to see those patches it must have a supported anti-virus product installed and that supported anti-virus must create a special marker for Microsoft to confirm that your anti-virus will support the new Microsoft patches. If the special marker does not exist, “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities.”17

According to one security researcher, here is a list of anti-virus products that have updates to protect against one or both of these vulnerabilities but do not as of 8 January 2018, automatically create the special marker.18

If you use one of the above listed anti-virus programs and you are unsure or uncomfortable with manually creating the special marker yourself, please Contact Us.

If you are a current Micro Systems Management client with one of the above listed anti-virus programs and you subscribe to our ProSysCtrl managed services solution, we have already created the special marker for you.

FacebooktwitterlinkedinmailFacebooktwitterlinkedinmail
  1. https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
  2. https://meltdownattack.com/
  3. https://meltdownattack.com
  4. https://meltdownattack.com/
  5. https://meltdownattack.com/
  6. https://www.theregister.co.uk/2018/01/09/intel_boss_ces_keynote_spectre/
  7. http://www.zdnet.com/article/spectre-and-meltdown-insecurity-at-the-heart-of-modern-cpu-design/
  8. https://www.nytimes.com/2018/01/03/business/computer-flaws.html
  9. https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
  10. https://support.apple.com/en-us/HT208394
  11. http://www.dell.com/support/contents/us/en/04/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre
  12. https://www.howtogeek.com/126665/htg-explains-what-does-bricking-a-device-mean/
  13. https://www.howtogeek.com/126665/htg-explains-what-does-bricking-a-device-mean/
  14. https://www.dell.com/support/article/us/en/04/sln284433/what-is-bios-and-how-to-update-the-bios-on-your-dell-system
  15. https://www.kb.cert.org/vuls/id/584653
  16. https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf
  17. https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
  18. http://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/
Wednesday, January 10th, 2018 Cybersecurity, ProSysCtrl

No comments yet.

Leave a comment

 

Categories of Posts

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Follow Us

FacebooktwitterlinkedinrssFacebooktwitterlinkedinrss