Unless you’ve been meditating in a cave for the past month (and maybe even then) you’ve most likely heard some of the hype and wrangling around the Spectre and Meltdown vulnerabilities announced just after the New Year. These flaws have significant security implications for every organization.
Patching Meltdown and Spectre Vulnerabilities
Meltdown and Spectre are actually three related “side channel” attacks that exploit bugs in just about all Intel and some ARM and AMD processors used in servers, desktops, laptops and mobile devices, as well as in various appliances like application delivery controllers, WAN optimization boxes and software-defined storage. Countless IoT devices are also potentially affected.
These vulnerabilities basically allow malicious code to siphon data straight from the memory allocated to other programs. This could include passwords, account numbers, emails, instant messages or sensitive documents.
The two primary attacks that Meltdown and Spectre make possible are:
- Viewing and exfiltrating data being processed by other running programs or virtual servers on the same hardware
If you’re running applications on a computer with a vulnerable CPU and an unpatched operating system, your sensitive data is at risk. Hackers with access to your network could be stealing your data and you wouldn’t even know it, because these exploits don’t leave footprints behind in the log files. It also doesn’t matter if your application follows security best practices, because the exploits happen at the hardware level.
As with most security exposures, the most vulnerable systems are those that remain wide open to increasingly sophisticated and targeted attacks as the rest of the world patches and moves on.
You don’t want your systems to be among those left behind. Now is the time to make and verify these critical updates.
Updates for supported Windows systems have been available since January 3. Apple patched iOS and macOS back in December. Google Chrome and Firefox updates have been released. Patching Android phones is a bit trickier because many users must wait for their carrier to release the patch.
Spectre and Meltdown are technically complex, and there are still many unknowns around what hardware is vulnerable or what attacks hackers might eventually invent. What is known is that attacks are coming, and the best defense is a dependable patch management program.
To get help with setting up a patch management program and/or detecting critical vulnerabilities in your environment, contact Pivot Point Security.