What To Know About the Meltdown and Spectre Security Bugs
Two critical security vulnerabilities announced this week could expose sensitive information on a large majority of current computer systems, including PCs, Macs, and even mobile devices. The names that have been given to these flaws, which relate directly to CPU architecture, are Meltdown and Spectre.
Google has summarized Meltdown and Spectre by saying that they can be exploited "to steal data which is currently processed on the computer.” This data includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
When a user application runs on your computer, that application is isolated from the operating system itself. Meltdown allows a program to break that isolation and access the “in between” space where leaked information could be found. If you are working with sensitive information on a vulnerable machine, this data could be exposed.
Microsoft has already released a patch for Meltdown, however there have been numerous reports that the interaction of this patch with many antivirus products can cause a system crash. Antivirus vendors are currently working to ensure compatibility and many have already released update to address this issue. Envision is tracking all this activity closely.
For Envision clients who subscribe to Antivirus delivered by our Ground Control solution, we will be updating all systems as soon as the necessary releases are available. If you subscribe to Envision’s Managed Endpoint Services, your servers and workstations will then receive the Microsoft patch once antivirus has been updated. We will be communicating directly with those customers to schedule emergency patching Windows as needed.
If you are not currently subscribed to Envision’s manage services platform or you are handling this yourself, our recommendation is to continue to track the antivirus vendor progress and wait for these fixes to be released. Once released, your antivirus applications will need to be updated and then any additional patches for your operating system will need to be added.
While Meltdown breaks the isolation between a user application and the OS, Spectre breaks the isolation between different applications. Spectre essentially tricks applications into accidentally disclosing information that would normally be inaccessible and safe inside their protected memory area. Ironically, the best practices and safety checks that these applications use actually increase the attack surface and may make applications more susceptible to Spectre.
Spectre is ultimately a more difficult exploit to handle, and because it’s based on an established practice in multiple chip architectures, it’s going to be even trickier to fix.
It’s important to note that there is currently no definitive patch for Spectre, as this could require CPU re-architecture. However, many browser developers including Google, Microsoft, and Mozilla, have already updated their browsers to help protect against Spectre exploits. Envision will continue to monitor the situation closely and will alert you of any further recommendations.
What to Do
According to Google, Chrome will also receive mitigations to protect against Meltdown and Spectre exploitation in Chrome 64, which is due to be released on January 23.
Until then, Google recommends that users enable a new security feature it shipped in Chrome 63 called Strict Site Isolation.
Microsoft has also released updates for Edge and Internet Explorer, that are part of an out-of-band update for Windows operating systems, released yesterday.
Users are recommended to update to Firefox 57.
For iOS and OSX:
In a recent statement, Apple acknowledged that their devices, including Macs, iPhones, iPads, and iPods, were vulnerable to Meltdown and Spectre. They have gone on to say that:
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
Envision Is Here For You
The situation regarding Meltdown and Spectre is changing quickly, and Envision is staying on top of these changes to ensure that the latest patches and updates are applied for our clients.
If you have any questions or concerns about these vulnerabilities, to request assistance with remediating these or other vulnerabilities, or to learn more about our server, desktop, and 3rd party patching and managed services programs, please contact us.