Processor Bugs Ring in the New Year

New System Vulnerabilities You Need to Know About

Researchers have disclosed vulnerabilities in the way processors are handling memory management while data is traversing the central processing unit of your system.

The latest update on these vulnerabilities can be found at this post from Project Zero.

Vulnerability Details: What You Need to Know

There are three known variants of the issue that have been classified under the following vulnerabilities:

  • Meltdown: Appears to affect laptops, desktop computers and internet servers with Intel chips. Proof of concepts are already coming out and show exploitation of this vulnerability in a number of ways, be it direct attacks from within an OS, or through applications like Chrome and Firefox browsers.
  • Spectre: Potentially has a wider reach. It affects some chips in smartphones, tablets and computers powered by Intel, ARM and AMD. Besides potentially affecting a wide variety of devices, Spectre’s larger concerns are for virtualized environments, which can mean two things:
    • A guest system could affect the security of the host computer on which it is running
    • The guest system could be leveraged to affect other guests on the same host

What Does It All Mean, and What Should You Do?

Because these vulnerabilities are with the CPU in your system, no operating system is safe if it is running on an affected processor.

Additionally, as noted by the various operating system vendors, the patches to fix these issues will have a negative impact on system performance, with some vendors stating as much as a 30% reduction in performance.

So, what should you do?

1. Plan to patch for the next several weeks. There is already a wide assortment of patches coming out from vendors.

Microsoft Notification
Apple Notification
Google Notification
Firefox Notification
VMWare Notification

2. Because of the threat posed to virtualized environments, expect some schedule downtime from your cloud providers. Thankfully, some of them, like Google and Amazon, have been working on the issue for a while. But there is more work in the coming weeks.

Azure Spectre/Meltdown notification
Amazon Notification

Immediate knowledge for an informed response can better position you for system protection. As you learn about and respond to these new vulnerabilities, feel free to contact us with any questions or concerns.