Knowledge Base

Security Bulletin: Meltdown & Spectre

January 5th, 2018

Security Bulletin – Meltdown & Spectre

Throughout the day, CIS has been monitoring the ongoing reports related to two uncovered vulnerabilities in global PC hardware. These exploits were discovered by Google’s Project Zero team, whose findings were first reported via the Open Source community, and potentially impact processors from Intel, AMD, and ARM. Unlike many common vulnerabilities, “Meltdown” and “Spectre” reside at the chip level, exploiting foundational aspects of how processors work, potentially impacting computing hardware worldwide. Project Zero’s research suggest that Meltdown “potentially affects every Intel processor made since 1995.”

 

Both vulnerabilities take advantage of a process known as “Speculative Processing,” which is used to make computing more efficient through anticipating processing requirements and starting them ahead of time. Through this process, there is the potential to exploit discarded critical information, such as passwords and other access credentials, which can be utilized to gain further access to systems. It has been found that this vulnerability can be exploited across virtual servers resident on the same host systems. Because of this, public cloud based servers, such as AWS and Azure are also potentially vulnerable to this exploit.

 

This remains a developing situation. At this time all major manufacturers, including Microsoft, Apple, Amazon, and Google, are releasing security patches and updates to their cloud, server, and PC products to bridge the vulnerability until further firmware upgrades can be provided. The major public cloud services have already provided security updates to their back-end, and have announced that they are no longer vulnerable, however there may be a notable impact on processing speed.

 

Early in the response Microsoft issued a critical update to address Meltdown and Spectre, however it had unexpected impacts on various systems, causing failures and “Blue Screen of Death” outages. Microsoft responded to this by making the update available only to systems that have anti-virus from a vendor whose registry key provides compatibility with the released update. Once the update is deployed, systems will be protected against vulnerabilities from Speculative Processing, however Microsoft warns that this could slow system speeds by up to 30%.

 

CIS’ Security Team continues to monitor these developments. While there is no known code “in the wild” being used to take advantage of these vulnerabilities, several security experts have reported seeing such code in development. It is important to mitigate any potential security risks and, as always, be vigilant against allowing potential malware into secure computing environments.

 

The CIS team will be getting in touch with any Managed Services clients with specific information shortly. All required updates and patches will be handled as part of the standard patching process, or sooner, following update discussions. CIS has deployed Webroot Anti-Virus for most Managed Services clients, Webroot is fully compatible with the required updates, and should present no technical problems. Following initial fixes, CIS will continue to provide updates and further support as new options emerge. It is currently anticipated that this will require firmware updates, minimally there will be additional patches and required updates. Rest assured, incidents like this are precisely the reason to have a Managed Services contract, the CIS team will do everything in our power to ensure your protection.

 

For independent remediation, CIS recommends the following steps:

  • Check for, and execute, pending Anti-Virus updates to ensure the registry key will be compatible with Microsoft’s update
  • Check for, and execute, pending Windows Security updates
  • Check for, and execute, pending Operating System updates
  • Check for, and execute, any pending Browser updates
  • Review download and install rights and restrict to users who need them
  • Review best practices for email “phishing” and social engineering with all users

 

If you have any questions or concerns, or would like to engage the CIS team for direct support, please do not hesitate to contact our service department (support@cisus.com / 212-577-6033×235) or your account representative (Group Contact: sales@cisus.com)

 

Further updates will be provided as more details emerge.