What’s the risk?
Meltdown and Spectre are two vulnerabilities which have been gaining substantial media attention over recent months. These vulnerabilities reside in the hardware of modern CPUs.
These hardware vulnerabilities allow programs and applications to steal data currently being processed on the computer including that of privileged applications. This data may include system passwords, passwords stored in secure password managers, personal emails and business critical documentation.
These vulnerabilities also present a significant risk to Service Providers, particularly those with multi-tenant environments as a malicious party may abuse their access to the system in order to obtain sensitive information relating to other tenants.
How might you be exposed?
The majority of Intel, AMD and ARM based CPUs used in modern electronic devices from computers to smartwatches are affected by Meltdown and Spectre. Techarp.com have formulated a complete list of CPUs affected by these vulnerabilities. For more information, see: https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/
What can you do to minimize your exposure?
Patches for Meltdown have been released for a majority of operating systems including Microsoft Windows; however, Spectre reportedly cannot be entirely patched at the Operating System level due to underlying issues in the CPU architecture, requiring an update to the silicon microcode. Spectre patches should be distributed by the silicon vendor to the system OEM, who should detail the necessary steps in order to apply the respective patches.
Depending on the age and architecture of the silicon, impacts to system performance are expected. More information on the performance impact is detailed in the following article from Microsoft:
While there are currently no instances of Meltdown and Spectre being exploited by malware in the wild, there is the potential risk of this occurring. With a significant number of security researchers working on proof-of-concept exploit code, it is only a matter of time until we start seeing these vulnerabilities being exploited.
CQR recommends that organisations continue to manage their systems through current patch management processes with a focus on critical patches relating to Meltdown and Spectre. These patches should be tested prior to full scale deployment as they are known to have considerable impacts on the performance and stability of systems.