| Info | ||
|---|---|---|
| ||
This issue is active and new information will be added as it becomes available. |
| Table of Contents |
|---|
Issue
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs. At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. It affects operating systems and can leverage web browsers to attack. Reduced performance on Intel-based Microsoft Windows, MacOS, or Linux servers may be experienced as the operating systems are patched to close the security hole. One projections puts this at a performance reduction between 17% and 23%.
Recommendations
...
- Stay clam - it is a real issue with complex solutions that will shift priorities
- Patch your operating systems, browsers, and other software
- Prioritize patching your browser(s)
- IMPORTANT NOTE: Windows patch may need to be manually enabled
Understand your anti-virus product impact. These software may cause problems with Windows updates - patch may not be available until anti-virus updates are available.
Understand your cloud infrastructure (IaaS) impact. Your provider may reboot your host(s) but you will still need to apply OS and software patches.
Summary Articles and Useful Links
- Summary of issues: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/
- Intel's response: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
- Impact of patches and updates: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
- It can leverage web browsers: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
- A security researcher has a Google Docs spreadsheet of the status of AV products here: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/edit#gid=0
- List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates: https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/
Technical Details
More information, including two papers on the CPU issues, has been released. These papers are technical descriptions of the bugs. Meltdown works on Intel processors only, Spectre works on Intel, AMD, and ARM processors.
...