Meltdown and Spectre Chip Flaw - Expect Software Patches Soon!

By now I’m sure you’ve heard about the Meltdown and Spectre chip flaw (Intel, AMD and ARM chipsets).All manufacturers that utilize these processors in their products will be patching the operating systems to protect the system from malware. Over the next few weeks, these patches will be released and you may need to apply them as recommended. Be aware, they may negatively affect the performance of your systems.Here is a short summary of the issues:

• The bug is actually three different bugs:
• Variant 1: bounds check bypass (CVE-2017-5753)
• Variant 2: branch target injection (CVE-2017-5715)
• Variant 3: rogue data cache load (CVE-2017-5754)
• Variant 1 and 2 are also called Spectre; Variant 3 is also called Meltdown
• All 3 variants affect Intel; AMD is only affected by Variant 1 Other CPUs/non-PC devices such as Android and iPhones are also affected
• This is a hardware bug that will have a mix of patches to mitigate
• This mix will include BIOS/firmware updates, Hypervisor patches, OS patches, application patches, etc.
• The mitigation will impact performance as it either disables insecure features or places more checks on them which will slow down the system. Reports of performance decreases range from 5% to 30% depending on the workload.
• Patches will touch almost every level of the enterprise from back end infrastructure to endpoints, and many components in between.
• The main recommendation at this point is to prepare to patch nearly every device in your entire infrastructure, as most will likely be vulnerable.
• Microsoft is blocking some updates. Check out this article if your 3rd party AV solution is not compatible: http://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/

Main vendor statements:

• CERT Vulnerability note with table to all known vendor statements
• Citrix
• Microsoft
• Cisco
• VMWare
• Apple
• Lenovo

Cloud providers:

• Amazon (AWS)
• Microsoft Azure
• Google Compute

Apps will also need patches. Some of the big ones will be browsers since they can store critical password information for some users:

• Chrome
• Mozilla

Looking for more information? Here are a few good, general articles :

• Original security post: https://googleprojectzero.blogspot.com/
• Summary Site: https://meltdownattack.com/
• Good summary that has been updated with lots of other articles: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

If you would like to consult with EDCi’s Engineering team about any systems affected please don’t hesitate to contact us, we’re here to help with the evaluation and remediation of this flaw.