Meltdown and Spectre require that you put aside standard maintenance schedules and weekly patching windows in favor of emergency out-of-band mitigation. It's not enough to wait for your next patch cycle to apply these fixes. Where possible, patches should be applied as soon as they become available.
In this blog article, we will detail exactly what steps you should take today for each affected technology platform.
By now you’ve heard about or read about the CPU security vulnerabilities affecting millions of computers and you might be confused as to what these vulnerabilities mean and what you’re supposed to do about them. Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) are hardware vulnerabilities that potentially impact CPUs from AMD*, ARM, and Intel that threaten almost every PC, laptop, tablet computer, cloud server, and smartphone in use. These vulnerabilities include all manufacturers and operating systems. All three vulnerabilities, if exploited, can lead to the loss of memory isolation and protection through leaks that can allow an attacker to obtain unauthorized access to sensitive data being processed on target systems.
Hardware manufacturers, including CPU manufacturers, operating system developers, cloud service providers, and browser developers have released and continue to release out-of-band patches to mitigate these significant vulnerabilities. By the end of January, all software-related fixes and patches should be in place, but some vulnerabilities can only be mitigated by changes in processor architecture, which is not a software patch but rather requires a hardware change in the CPU. CPU manufacturers are releasing firmware updates as an interim solution.
Operating systems vulnerability mitigation:
- Windows – Microsoft has issued out-of-band patches for Windows 10. Other Microsoft operating systems will be patched during regular Patch Tuesday releases on January 9, 2018.
- MacOS – If you’ve upgraded to High Sierra (10.13.2), most of the vulnerabilities are already patched, but watch for 10.13.3, which will likely complete the patches.
- Linux – Linux distribution developers have released kernel page-table isolation (KPTI) patches that moves the kernel into a separate memory address space.
- Android – Google has released patches for Pixel/Nexus as part of the January security update. Non-Google device owners will have to update as manufacturers release patches.
- Chrome browser – Users should enable Site Isolation on their devices to prevent browser-related exploits of these vulnerabilities.
- CPU Firmware – System administrators will have to check with their hardware vendors for specific CPU firmware patches.
- Anti-malware – Update all anti-malware applications to detect new exploits targeting these vulnerabilities.
We recommend that you follow safe computing practices that include applying all security updates and patches for operating systems, applications, and hardware. Out-of-band patches, such as the ones described in this post, should be applied as soon as their respective vendors release them. Delay in applying these patches and updates could cause loss of data and have serious security consequences.
Security researchers agree that the most likely attack vector to exploit these vulnerabilities will be your browser, so system administrators and users alike should update their browser software individually if it is not part of the software complement provided by the operating system manufacturer such as Internet Explorer/Edge and Safari. Mozilla (Firefox) and Google (Chrome) have released fixes and patches for their respective browsers.
Applying these updates will consume significant numbers of technical resources and also likely require multiple maintenance windows. System administrators should prepare to schedule downtime and quickly install newly released updates.
*AMD released an announcement stating that their processors are not impacted by speculative execution vulnerabilities. However, security researchers have found that AMD CPUs have a separate vulnerability in the Trusted Platform Module (TPM).