Advice re. the "Meltdown" and "Spectre" CPU vulnerabilities
There has been widespread media coverage of two related CPU vulnerabilities that have recently been made public. These are serious issues that need to be addressed, though it is important to note that there is no evidence of active exploitation / malware / viruses leveraging either vulnerability at this stage. Note that mobile devices as well as computers are affected.
Meltdown is a kernel vulnerability that circumvents the barrier between the core and user processes on an affected computer, and could enable privilege escalation (normal user account / process acting as an admin account / process).
Spectre is a vulnerability that removes the barriers between applications / processes on an affected computer. There are already proof of concepts demonstrating how this could be achieved in a remote attack.
What this means in practical terms is that by using these vulnerabilities an attacker may be able to gain access to private data including passwords, run arbitrary code/install malware, and circumvent some multi-factor authentication.
Low-level vulnerabilities like these are (thankfully) rare as they can have wide-ranging implications - the impact of these specific issues could be felt for some time.
The good news is that most of the major players have updates out already to help mitigate the risk associated with Meltdown and Spectre, while there are more on the way.
As some of the media stories indicate, the short term patches may have a performance impact on your system, however in most cases this is only likely to be noticeable to servers running large workloads such as database servers and multi-user environments. The impact will also vary by the age and type of CPU.
If you are running infrastructure on AWS, Azure, Google Cloud etc. those systems should already be patched, unless you are managing the operating systems yourself. If you are hosting your own infrastructure or are with a smaller provider it would be sensible to confirm with the team responsible that they have a test, patch and rollout plan in place.
For your own devices the recommendation is:
- Confirm your important data is backed up
- Update your antivirus product - This step is important because some antivirus products will cause issues with the latest OS updates. There is a compatibility matrix for Windows here.
- If updating Windows and no other system back in place, at a minimum create a system restore point. Note that there are reports of the Windows updates causing BSOD / crashes, so it may be worthwhile waiting for further updates.
- Update your Operating System - Mac OSX, Windows, Linux, Android (may vary by manufacturer), iOS. See also Apple Security Updates.
- Apply device firmware updates e.g. HP, Dell, Lenovo, Microsoft Surface
- Update your web browsers - including Chrome and Firefox. IE and Edge will be included in Windows updates as they become available - more info here.
With Chrome you can also enable Strict Site Isolation to help protect against Spectre specifically.
Release from US-Cert: https://www.us-cert.gov/ncas/alerts/TA18-004A
Apple Support notification and product updates:
- macOS High Sierra 10.13.2
- OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
- iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
CERT NZ advisory
Reports of the Windows updates causing BSOD / crashes,
You can read more technical information on the the project sites listed above as well as from: