Information On The Spectre/Meltdown Security Vulnerability

We’d like to bring you up to date on what Intellect IT has been doing to help

Information On The Spectre/Meltdown Security Vulnerability

 

You’ve most likely heard the names “Spectre” or “Meltdown” used to describe a serious security flaw that primarily affects any computer running an Intel based CPU (chip). We’d like to bring you up to date on what Intellect IT has been doing to help address and protect our managed clients from this threat.

Firstly, the only way to describe this flaw is to say that it’s “complicated “. It affects all kinds of IT equipment, worldwide. But the main cause of concern is its effects on Servers and PC’s that have been equipped with the vulnerable CPU’s.

A brief background. In January 2018, researchers revealed that they found two security vulnerabilities in most of the chips being used in computing devices today. They dubbed these vulnerabilities Meltdown and Spectre. It was also discovered that hackers could exploit these CPU’s to steal sensitive data (such as encryption keys and passwords) from applications installed on an effected device.

What is it? Meltdown and Spectre are found in different areas of the chip. Meltdown exists in the chip’s software, Spectre exists in the chip’s architecture. Researchers found that they could exploit both Meltdown and Spectre by running a malicious JavaScript file in an affected device web browser.

Who/What is affected?  All the affected chips use a technology known as speculative execution to optimise the speed of computer processes. During this process, data is temporarily made available outside of the CPU, potentially exposing it to any hackers who exploit the Meltdown and Spectre vulnerabilities.

There is a long list of Intel, AMD, and ARM chips that have been confirmed to have the Meltdown and Spectre vulnerabilities. This means that most types of computing devices are susceptible, such as smartphones, tablets, desktop computers, and servers. Similarly, most operating systems are affected such as Windows, MacOS, iOS, Android, Chrome, Linux.

Who’s been hacked? To date, there has not been any documented cases of hackers exploiting Meltdown or Spectre. However, the serious nature of the threats and the chips’ widespread use has prompted an alert by the U.S. Computer Emergency Readiness Team (US-CERT), a division within the U.S. Department of Homeland Security. Despite there being no known attacks, chipmakers have been working with each other and with Microsoft and Apple to fix the security holes.

 

What Is Intellect IT doing? How Long Until This Flaw Will Be Patched?

 

As mentioned at the beginning of this article, this flaw is complicated. There are three main components all requiring attention. First, your operating system (OS); Second, your AntiVirus (AV) product; Third, your hardware and its BIOS. Your BIOS is an OS built only for the hardware components of your device.

Patching your OS. Microsoft have released a patch for Windows and their suite of Server OS’s, but they are only allowing it to be installed onto devices whose AV they consider having been ratified. Microsoft found that, after devices were patched, certain AV products made the device unstable and would cause it to crash.  It is up to AV vendors to prove to Microsoft their AV products will not cause this to happen. To date, not all AV’s have been ratified, but testing continues.

Your AV product. As per above, unless Microsoft has given your AV product a green light, their OS patch will not be applied. It is the responsibility of the AV vendor to contact Microsoft and confirm their product is OK. If your AV vendor has not been ratified, the OS patch is not being offered or applied to your device. As such, your device will remain unprotected from the flaw. We have found a list showing the state of AV’s and their approval. If your AV is not on this list, or not approved, you need to contact your AV provider directly.

Patching BIOS and hardware. Many hardware manufacturers are scrambling to write patches for both BIOS and hardware. And many of these patches have been reported as unstable, and subsequently withdrawn from available download sites. There is no definitive list of updates or availability of information on this. It is entirely in the hands of each hardware manufacturer.

Intellect IT’s role. For our managed clients, we have gathered information about your devices we monitor. We know what devices have suitable AV, we know what devices qualify for the patch, and we know what brand/hardware your monitored devices are running on. Very soon your account manager will be contacting you to discuss your position with regards to this flaw, and the best way for you and your business to move forward.

However, there have been numerous reports of patch failures, poor AV performance, and conflicting information about hardware and BIOS patches. Intellect IT has chosen to wait until we receive solid verifiable confirmation that patches work. Only then will we begin distributing such patches to our managed clients. To do so prematurely risks crashing your devices.

Avoid applying any patches, updates, or hardware/firmware upgrades until advised by Intellect IT that it’s OK to proceed!

 

What You Need To Know About The Patches.

 

There are two important points to keep in mind regarding these patches:

  • The patches will likely do a good job at mitigating the Meltdown threat because it is a software-based weakness. However, some analystsare not as confident that the Spectre patches will work well because that vulnerability exists in the chip’s architecture. They fear that a chip redesign might be necessary to eliminate the problem. Only time will tell if the Spectre patches will work.
  • The updates will likely slow down your devices’ processing speed. The extent of the slowdown will depend on many factors, such as a device’s operating system, the size of the workloads being run, and the chip’s model and age. In general, devices with higher workloads, older chips, and older operating systems will see greater hits in performance.

What You Can Do Whilst Waiting For Stable Patches.

 

Avoid applying any patches, updates, or hardware/firmware upgrades until advised by Intellect IT that it’s OK to proceed!

Please remember, there have yet to be any reports of hackers successfully using this flaw to their advantage. To exploit the Meltdown and Spectre vulnerabilities, malicious code needs to be installed and executed on a device. Cybercriminals often use phishing emails for this purpose. Thus, it is important to let employees know about the dangers of clicking links and opening attachments in emails. Retrain all your staff on sensible, safe email practises. At Intellect IT we have a saying about any potentially suspicious email. If there’s the slightest doubt, throw it out.

But above all, be wary of any email claiming it contains security patches for this latest exploit. Warn your staff about the possibility of getting phishing emails urging them to install a Meltdown and/or Spectre patch on their devices. If they fall for this, they will likely be installing malware.

As soon as Intellect IT has been advised that patches are good, stable, and working, we will be contacting our managed clients and helping them attend to this flaw. Until then we ask for your patience, your account manager will contact you soon to have a more detailed discussion.

Avoid applying any patches, updates, or hardware/firmware upgrades until advised by Intellect IT that it’s OK to proceed!

Posted on