Keeping Up with Meltdown & Spectre: What it is & How You Can Protect Yourself

Chances are you've already heard about the newly-disclosed CPU vulnerabilities known as Meltdown and Spectre. To help protect you from these vulnerabilities, you will be required to implement OS, Software, BIOS and Firmware updates.

As a Managed Services provider, we are actively rolling out the patches to our clients as they are released and have put together an overview of the vulnerabilities for review. They encompass the details as well as relevant links that will be helpful in understanding the scope, consequences, and patches involved with these issues.

Meltdown and Spectre Overview:

Official vulnerability website hosted at the Graz University of Technology
https://meltdownattack.com and https://spectreattack.com

Meltdown and Spectre are vulnerabilities that affect modern computers and could leak passwords and sensitive data if they are exploited. They were discovered in mid-2017 and released to the public last week along with the first round of patches to protect against them. Together, these two security breaches affect all modern Windows, Mac and Linux desktops as well as iPhone and Android smartphones.

We recommend you run all updates on your phones and home computers as well as update browsers such as Chrome and Firefox.

Patches are currently available for the following OS:

• Windows 7, 8, and 10
• Mac OS - High Sierra
• Linux
• iOS 11
• Android v 5.0 and later

If you have a Mac or smartphone older than 2015, it most likely doesn't have the current OS with an available patch. You will need to update your OS or replace your device with a newer model to be protected from the vulnerability.

In addition to patching your OS, it is important that you verify that your antivirus (AV) program has also been patched. If your AV hasn’t been patched, it may block the OS updates trying to fix this issue.

Other Technical Links:

SANS Technical presentation on the vulnerability by Jake Williams

• https://www.youtube.com/watch?v=8FFSQwrLsfE

Microsoft "Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the ... registry key."

• https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Security researcher Kevin Beaumont has compiled the relevant antivirus compatibility details in a spreadsheet

• https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true

Apple released patches for all recent versions of macOS and iOS

• https://support.apple.com/en-us/HT208394

Google has published mitigations for Chrome browser and other products

• https://www.chromium.org/Home/chromium-security/ssca
• https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

Firefox has addressed this as of version 57.0.4

• https://www.mozilla.org/en-US/security/advisories/mfsa2018-01

CERT Vulnerability Note

• https://www.kb.cert.org/vuls/id/584653

Contact us about any questions or concerns regarding Meltdown and Spectre.