The Office of Information Security is monitoring two major security vulnerabilities, named Meltdown and Spectre. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Both exploit flaws in modern processors that could allow an attacker to obtain sensitive information like passwords or banking information from an affected system.
Exploit flaws in modern processors that could allow an attacker to obtain sensitive information. There are currently NO reports of these vulnerabilities being exploited in the wild at this time. Proof of concept code is available online and it is only a matter of time until we see these vulnerabilities exploited within malicious code.
Desktop, Laptop, VMWare and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). ADM & ARM processors are also effected by these vulnerabilities.
Given the wide array of affected systems patch availability will vary as will the potential performance impact they may or may not have on your environment. While most users won’t notice any performance impact we are recommending that you thoroughly test any patches before deploying them in a production environment.
- Apply appropriate patches or appropriate mitigations provided by vendors to vulnerable systems immediately after appropriate testing
- Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
- Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources
- Apply the Principle of Least Privilege to all systems and services.