What is Meltdown and Spectre?
You may have heard about Meltdown and Spectre in the news these past few days. There is a lot of confusing information out there since these vulnerabilities were revealed to the public much earlier than anticipated – so we’re going to keep this post as lean and mean as possible.
What we know is that these two vulnerabilities can be used to leak information by exploiting the way CPUs implement speculative execution. Since speculative execution is a fundamental tenet of high-speed CPU architectures, nearly all processors on the market are vulnerable to attack. We will be haunted by this Spectre for years to come.
It should be understood that Meltdown and/or Spectre impact nearly every personal computer, mobile phone, and cloud provider on the market. An attacker can exploit these to gain access to the protected memory of other running programs, and even data from other cloud customers. This includes password vaults and many other critical processes running on your computer.
Thankfully, Meltdown and Spectre are not remote code execution attacks. The attacker will need to be able to run software on your computer – which can be achieved through a vulnerable browser, social engineering, or simple remote access.
This means we need to be extra vigilant when it comes to applying security and software updates. Vendors are working as fast as possible to provide mitigations for Meltdown and Spectre and we need to be ready to apply them before attackers have a chance to use them.
What is affected by Meltdown?
Intel-based desktops, laptops, and cloud services may be affected by Meltdown independent of the OS they run. Nearly every Intel processor since 1995 is affected.
What is affected by Spectre?
Almost every system is affected by Spectre: desktops, laptops, cloud services, and smartphones. It has been verified that Spectre is exploitable on Intel, AMD, and ARM (this includes Qualcomm Snapdragon, Apple A-Series, and Samsung Exynos) processors.
How do I protect myself?
Vendors are actively working to release software and firmware vulnerability mitigations in their products as a high priority. While software updates will partially mitigate these attacks, firmware updates are also required. You will need to stay vigilant over the next few weeks to ensure that you get the latest security and firmware updates from your hardware and software vendors.
Everyone should ensure that their operating systems are set to automatically update and to download the latest BIOS from their manufacturers. If you have a question about this process, please don’t hesitate to reach out to your IT support team.
All Engineering teams should immediately begin testing server patches for Linux and Windows Operating Systems to assess stability, understand impacts of overhead and ensure capacity will not be affected when applying patches to production systems.
Microsoft has issued patches for Windows to mitigate the vulnerabilities. These will be available through Windows Update for all supported versions of Windows (provided you have compatible anti-virus software installed).
- Windows 10 Build 1709 (Fall Creators Update)
- Windows 10 Build 1703 (Creators Update)
- Windows 8.1
- Windows 7 SP1
Symantec has released an update for their Endpoint Protection product versions 12.1 and 14. It must be up-to-date before installing the above Windows security patches.
Specifically, the Symantec ERASER engine must be the most current version 117.0.359 or later.
If you have not done so yet, perform a Symantec Live Update to ensure the latest definitions which includes the latest ERASER engine update. You can verify which version you are on by opening Symantec and navigating to: Help > Troubleshooting > Versions > Eraser.
More information about the anti-virus compatibility issue here:
Apple has largely mitigated the vulnerability in macOS 10.13.2, but it is unknown if they are addressing the vulnerabilities in older versions of the operating system. macOS version 10.13.3 will likely complete the mitigations.
Linux (kernel 4.1.5) has been patched, but if you’re not familiar with updating the kernel yourself, you’ll want to wait for a vendor or distribution supported release.
Microsoft, Google (Chrome 64), and Mozilla (Firefox 57) are issuing patches to their browsers to help mitigate browser based attacks as well. Ensure automatic updates are enabled for internet browsers to update as soon as patches are made available.
Sources and Additional Information
Official Vulnerability Website:
Microsoft Guidance for IT Pros: