Spectre and Meltdown Security Vulnerabilities
On 4 January 2018, Google Zero, (a Google 'watchdog' division) identified two new security vulnerabilities, named Spectre and Meltdown, that affect almost all Intel, AMD, and ARM processors. This is a global issue reaching across all industries and technologies. Meltdown and Spectre are not exactly the same, but they are related and use a similar exploit mechanism to gain access to computer data.
What are Meltdown and Spectre?
All computer devices have CPUs which optimize operations to be as fast as possible. Meltdown and Spectre are exploits that operate within the specific computer chip architecture. They have the potential to read the protected memory locations used by a device and applications (including browsers) that store information in the kernel memory, including potentially sensitive data.
To harvest the information, the exploit must be run locally on the machine, and must be loaded through an application. Therefore, it’s not easy to do this via an “email link" or launch a machine-specific application targeted at this vulnerability.
What Meltdown and Spectre are not
These exploits do not enable the takeover of the device, so are not traditional “malware”. Nor do they expose a device to any modification of its operations.
What are the risks?
There isn't any known use of the current exploits today, but the nature of the potential attacks makes them difficult to detect. Experts expect that hackers will develop programs to launch attacks now that these vulnerabilities have been exposed. Large data centers with large data sets are at the greatest risk, and they have been, and continue to be, vigilant.
While these new exploits are concerning, as are all potential security risks, many patches to address these issues are already implemented and available as software or firmware updates to your system.
How this may impact your business
It is important that all your IT systems are updated as soon as software or firmware patches for these vulnerabilities are available.
This means all of the software or firmware services your business use internally, and all services you provide to your customers (not just the Fred ones) should have the applicable security patches applied.
What Fred is doing
Fred has begun patching and analysing required security patches for all cloud and Fred-managed systems for our customers. As information and patches become available to systems managed by Fred, these will be applied to ensure the necessary security level is maintained.
What you should do
All the major operating system and cloud companies are working on fixes for these vulnerabilities and have, or are in process of, providing software and firmware updates.
To guard against these vulnerabilities, you should ensure your store computers and devices are up-to-date with all applicable security patches as they are released. Consulting with your respective software provider, prior to any updates, will reduce the potential of compatibility risks.
Ensure every PC and device in your store has a certified antivirus system installed (there are only three certified by Microsoft at the time of publishing this advisory; ESET is one), and that Anti-Virus definitions are current and up- to-date.
More information
There is a wealth of information out now on what Meltdown and Spectre do; however, some of it can be confusing or misleading. These problems are moving fast, so ensure the information you are reading is up-to-date. The following articles are a good place to start:
- Meltdown (security vulnerability) on Wikipedia
- Spectre (security vulnerability) on Wikipedia
- What are the Meltdown and Spectre exploits? on Network World