Okay, so news broke around two weeks ago about the Spectre & Meltdown vulnerabilities. I am not calling it fake news but a lot of what we are getting from the media about this is either inaccurate or just doesn’t tell the whole story. My understanding is that some information was received prior to the IT communities planned release of information about Spectre and Meltdown and the media ran with it before there was enough information to really publish about it. Probably due to the number of household brand names that could possibly be affected. Names like DELL, Lenovo, & HP.
Here is a brief overview of these vulnerabilities.
There are actually three vulnerabilities that are being classified as two.
Meltdown – This one has the highest vulnerability for exploitation which makes it of most concern. In a nutshell, Meltdown allows a user process to read internal memory such as passwords.
Spectre – This one has two vulnerabilities (Bounds Check bypass and Branch Target Injection). They also make internal memory available to user processes; except this one specifically takes advantage of a delay in the time it takes for the CPU to check the validity of the memory access call. In this way, someone would try to grab what is in memory without allowing the CPU the ability to check the validity of the request. This one is extremely difficult to exploit.
With all of these vulnerabilities, there have been no confirmed exploitations. For now, these are just vulnerabilities. Not known attacks. This is evolving. There is no need to panic or rush into trying to resolve manually. In fact, rushing into applying an update without first checking prerequisites could actually cause problems.
Some operating systems have software fixes, but these are hardware vulnerabilities. According to vendors and partners of ours, a change to the architecture of the operating system is needed in order for the software patch to fix this issue. It also has been confirmed that there will be firmware updates, and that companies will need to contact their hardware vendors to see if updates are available. (Dell, Lenovo, HP, etc.) In the case of firmware, at times it is more dangerous to make the changes at the firmware level than the actual vulnerability itself.
Server 2008 & Server 2012 (except for the R2 versions) do not have updates yet. Reportedly due to the complexities in the architecture changes associated with it. They are still working on it.
Microsoft has said that if you have one of their products your normal updates will also include the necessary hardware updates.
For any other vendor, you will need to pay attention to these updates.
There is a difference between a known vulnerability and an active threat. Wannacry would be considered an active threat; as it has infected over 700,000 devices worldwide.
If this were considered an active threat or was a worldwide issue it would be a different situation. Because this is only a known vulnerability, the security threat is very low, and there are no known exploitations at this time we advise our customers not to jump ahead of the antivirus companies and try to apply a manual fix. With some antivirus solutions, people who began to push out patches were getting blue screen errors. Because of the antivirus compatibility issue, our advice is to treat it like any other monthly security update.
If this were an active fire situation, like Wannacry, we would say to pause, gather thoughts, and build a strategy. The Spectre and Meltdown vulnerabilities are not like that.
With all that being said, it is important that companies have an incident response plan in place. (Separate from a Disaster Recovery)
Things like this are going to be happening more frequently as time goes on. If you are to get hit with this or any other type of attack contact us at firstname.lastname@example.org so that we may help you restore and recover as seamlessly and quickly as possible.