The National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert regarding security vulnerabilities, known as Meltdown and Spectre, that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Integrity Technology Solutions began testing and applying available security updates and we are continuing to monitor reports for newly released updates to address the vulnerability.
Have there been any reported data breaches because of these vulnerabilities?
No. There have not been reports of hackers using this exploit yet, but that means we are in a race to get systems patched and protected.
What do the Meltdown and Spectre vulnerabilities do?
These vulnerabilities have the potential to provide unauthorized access to privileged information on nearly all smartphones, servers, PC’s, and Macs. Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.
Are my devices at risk?
Yes. All Intel, AMD, and ARM processors made in at least the last 10 years are confirmed to be affected. This includes computers, laptops, servers, smartphones, cloud services, and tablets. This means more than 99.9% of computing devices in the world are affected by these vulnerabilities and will need to be updated. The devices that are most adversely affected are servers that are virtual machine hosts. The vulnerability allows a hacker to read data on one virtual machine from another virtual machine on the same host. Note: a hacker would have to already have access to one of your servers for this to be exploited. Integrity provides many other layers of security protection to help prevent this.
What is Integrity doing to protect its clients?
Integrity will update the systems for all of our managed clients to help reduce the risk from these vulnerabilities. Integrity was aware of this vulnerability from various IT security bulletins, forums, and websites since Tuesday morning and has already been responding and working on protecting our clients against this vulnerability.
The security patch to help address this vulnerability has been released by Microsoft as an “out of band” patch. These are essentially emergency patches. Some antivirus programs can cause bluescreen system crashes upon applying this patch, but the antivirus that Integrity uses for our clients, is one of the few antivirus providers to have already certified with Microsoft for compatibility with the patch. Integrity is already in the process of deploying this new Microsoft patch, and will be applying these over nights and weekends to minimize disruption to our clients.
What do I need to do?
Leave your PC’s online so they can be updated overnight. As you do every day, please reboot your PCs at the end of the working day and leave them turned on, at the login screen, and connected to the network overnights and weekends. This allows Integrity to apply these security updates in a timely manner to protect your data, while minimizing impact on your day-to-day. These are good habits to develop in general, not just during this and future security vulnerability bulletins.
What about my devices at home?
Check your Automatic Updates in Windows Control Panel. Microsoft is releasing its "out of band" patch for Windows 7 and newer. Please make sure you have your antivirus software updated, then run Windows Update to completion. Turning on automatic updates on your home computers is always a good idea as well!
If you have Apple devices, Apple is only patching the latest version of Mac OS (iMac and Macbook), "High Sierra" 10.13.2 and the latest version of iOS (iPhone and iPad) 11.2. To stay protected, Apple is recommending upgrading to the latest OS.
For Android devices, Google has also released their January 2018 Security patch, but depending on your cell phone carrier, it may or may not be available to you yet. Applying the update when you receive notification is strongly recommended.
What if I have any additional questions?
If you are a current Integrity client, please contact your Strategic Business Advisor or Technology Advisor. If you would like to contact us for an assessment of your organization's IT security, please fill out the "Contact Us" section on our website and we will schedule a risk assessment.
Please note that there is a great deal of misinformation floating around! We are working to test and verify the information that is available and are carefully considering mitigations. Additional information about affected systems and vendor response can be found from these links:
US-CERT – https://www.us-cert.gov/ncas/alerts/TA18-004A
Graz University of Technology – https://meltdownattack.com/