What is Meltdown and Spectre?
You may have heard about two big vulnerabilities in the news these past few days, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715). These vulnerabilities can be used to leak information from protected processes by exploiting the way CPUs implement speculative execution. Speculative execution is a fundamental tenet of high-speed processing in modern CPU architectures. Because of this, almost all high-performing processors on the market are vulnerable to one of these attacks.
If it’s not clear by now, Meltdown and/or Spectre impact almost all personal computers, mobile devices, and even cloud providers. Malicious programs can exploit these vulnerabilities to get secrets stored in the memory of other running programs. This includes your passwords and other protected data on your devices.
Fortunately for us, patches and firmware from vendors will mitigate the worst of these attacks. Always install the latest security patches!
It’s important to note that these vulnerabilities require attackers to locally execute malicious code on the system. Meltdown and Spectre are not remote code execution attacks and they are read-only. That said, they can be used to access privileged information on the system (including administrative passwords which can then be used in a code execution attack).
What is affected by Meltdown?
Intel-based desktops, laptops, and cloud services may be affected by Meltdown independent of the OS they run. Nearly every Intel processor since 1995 is affected.
What is affected by Spectre?
Almost every system is affected by Spectre: desktops, laptops, cloud services, and smartphones. It has been verified that Spectre is exploitable on Intel, AMD, and ARM (this includes Qualcomm Snapdragon, Apple A-Series, and Samsung Exynos) processors.
How do I protect myself?
Vendors are actively working to release software and firmware vulnerability mitigations in their products as a high priority. While software updates will partially mitigate these attacks, firmware updates are also required. You will need to stay vigilant over the next few weeks to ensure that you get the latest security and firmware updates from your hardware and software vendors.
Everyone should ensure that their operating systems are set to automatically update and to download the latest BIOS from their manufacturers. If you have a question about this process, please don’t hesitate to reach out to your IT support team.
All Engineering teams should immediately begin testing server patches for Linux and Windows Operating Systems to assess stability, understand impacts of overhead and ensure capacity will not be affected when applying patches to production systems.
Microsoft has issued patches for Windows to mitigate the vulnerabilities. These will be available through Windows Update for all supported versions of Windows (provided you have compatible anti-virus software installed).
- Windows 10 Build 1709 (Fall Creators Update)
- Windows 10 Build 1703 (Creators Update)
- Windows 8.1
- Windows 7 SP1
Symantec has released an update for their Endpoint Protection product versions 12.1 and 14. It must be up-to-date before installing the above Windows security patches.
Specifically, the Symantec ERASER engine must be the most current version 117.0.359 or later.
If you have not done so yet, perform a Symantec Live Update to ensure the latest definitions which includes the latest ERASER engine update. You can verify which version you are on by opening Symantec and navigating to: Help > Troubleshooting > Versions > Eraser.
More information about the anti-virus compatibility issue here:
Apple has largely mitigated the vulnerability in macOS 10.13.2, but it is unknown if they are addressing the vulnerabilities in older versions of the operating system. macOS version 10.13.3 will likely complete the mitigations.
Linux (kernel 4.1.5) has been patched, but if you’re not familiar with updating the kernel yourself, you’ll want to wait for a vendor or distribution supported release.
Microsoft, Google (Chrome 64), and Mozilla (Firefox 57) are issuing patches to their browsers to help mitigate browser based attacks as well. Ensure automatic updates are enabled for internet browsers to update as soon as patches are made available.
Sources and Additional Information
Official Vulnerability Website:
Microsoft Guidance for IT Pros: