Meltdown and Spectre

By now, you’ve probably read the news about the “Meltdown” and “Spectre” vulnerabilities in Intel, AMD, and other CPU vendors. There’s a lot of speculation and confusion surrounding this issue right now, mostly because the chip manufacturers themselves haven’t really given us much to go on, and vendors all across the sector are scrambling to identify and patch vulnerable systems.

Here’s what you need to know:

First off, if you’re interested in the gory details, here’s a link for you from US-CERT, the DHS’s Computer Emergency Readiness Team:

Basically, these chip manufacturers have built in mechanisms that improve performance, and it has recently been discovered that some of these mechanisms are susceptible to exploits that would give the attacker access to privileged system information. This could theoretically include any kind of information on your computer. If this sounds to you like a really big problem, you’re paying attention. This is probably the most far-reaching and ubiquitous cybersecurity vulnerability to date.

That’s the bad news. The good news, is…well, there isn’t any. But there’s “better” news. First of all, as of right now, there are zero known actual real-world exploits of this vulnerability, though it’s safe to assume they’re coming. Secondly – and this is a pretty important mitigating factor – this isn’t a primary exposure; an attacker would need to already have access to your system to exploit the vulnerability. This access would be gained via typical means; basically, they would have to get some malicious code to run on your system before being able to gain access to exploit the CPU vulnerabilities. This is “better” news, because it really means that organizations with a proactive managed services/managed security process in place, safeguards against malicious mobile code is already in place. The following measures are in place for NetWatch managed clients:

  • DNS filtering – all URL requests are filtered through a proxy that blocks access to both known malicious sites, and suspected sites based on reputation, behavior, and relative newness.
  • Antivirus/firewall – all endpoints are protected with endpoint security software that cannot be unloaded by the end user. The software is reloaded automatically daily and updated persistently against new threats.
  • Firewall – the perimeter firewall – the device that protects your internal network from the public Internet – has intrusion prevention, antivirus, and threat management features, as well as additional content filtering.
  • Browsers – browsers are regulated to allow only certain plug-ins, malicious plugins are blocked.

Essentially, best security practices continue to apply. And, as always, the end user is the first and last line of defense against attackers. Be mindful and diligent when using information systems. Don’t click on links and attachments unless it’s something you’re expecting. Scrutinize every single incoming email. Don’t fall for support scams such as browser pop-ups alerting you to supposed virus infections and giving you a number to call.

As for patching the vulnerabilities themselves, the chip manufacturers have been relatively silent. Microsoft does have a patch that will mitigate the vulnerability in Windows OS’s, but there’s one problem: Several antivirus programs are incompatible with the patch, and may cause machines to crash if the patch is applied. Webroot (our provider) has stated they’ll have an update out this week that will allow the MS patch. In the interest of stability, we won’t be applying the MS patch until the Webroot update is pushed out. Our cloud service providers are also adhering to this policy.

Of course, this is a developing situation, so we don’t know everything yet. But we’re getting new information as soon as it comes out, and of course passing that along to our clients.