Spectre and Meltdown Vulnerabilities for IT Professionals

Spectre and Meltdown Vulnerabilities for IT Professionals

On January 3, 2018 information about three vulnerabilities in computer processors was made public (https://meltdownattack.com/ ). Collectively, these have been dubbed “Meltdown” (CVE-2017-5754) and ”Spectre” (CVE-2017-5753 and CVE-2017-5715). Many vendors have had this information previous to the disclosure and have released patches or are planning to do so soon. Others have begun work on them.

While these are effectively information disclosure vulnerabilities (though in the case of Meltdown it can lead directly to privilege escalation), they are fairly serious with potential impacts including guest virtual machines being able to steal data from other virtual machines and malicious JavaScript running in a browser to access sensitive information like passwords. Note that multi-tenant environments such as VMware or Hyper-V virtualization servers or Remote Desktop Protocol servers are at elevated risk and should be addressed immediately.

This is a complicated set of vulnerabilities and remediation is neither simple nor consistent across platforms. Further complicating this is the fact that some of the patches are reported to have performance impacts of up to 30%. The Information Security Office offers the following guidance on a per-platform basis, including suggested priority in applying available patches and considerations before proceeding. If you have further questions, please email security@utexas.edu.

Windows Workstations:

Apple Workstations:

  • What: macOS 10.13.2 (“High Sierra”) is the only version for which a patch is currently available (https://support.apple.com/en-us/HT208394 ). It is not clear when or if patches for other versions will be available. Ensure that 10.13 users are on 10.13.2 and consider upgrading other users.
  • When: patch “as soon as practical” (this patch cycle or this month, whichever is sooner for 10.13, and when available or when you can upgrade for others)
  • Considerations: patches are currently only available for High Sierra

Web Browsers:

  • What: patch as updates are available from browser vendors, currently:
    • Firefox 57.0.4 and 52 ESR contain mitigations
    • IE/Edge are patched in KB4056890 (Windows 10) or KB4056568 (for IE on Windows 7 and 8)
    • Safari 11.0.2 is out for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
    • Google will release Chrome 64 on January 23 with a patch
  • When: patch “as soon as practical” (as updates come out, and look to iterate this patching as new releases come out across the browsers)
  • Considerations: patches will likely continue to come out from the vendors in at least the near term

Mobile Devices (iOS/Android):

  • What: patch as updates are available from vendors, currently:
    • iOS 11.2.2 includes a patch for Meltdown and Spectre.
    • Android’s January security release will include patches for both.
  • When: patch “soon” (within a month of patch release)
  • Considerations: N/A

Windows Servers:

Linux Servers:

Cloud Environments:

  • What: Amazon Web Services and Microsoft Azure have applied patches to their environments. Customers must still apply patches to their operating systems (see relevant “Servers” section herein).
  • When: N/A
  • Considerations: N/A

Virtualization Environments (VMware, Hyper-V):

  • What: Apply vendor patches with urgency
  • When: patch “NOW”: AS SOON AS POSSIBLE
  • Considerations:
    • While this should be patched ASAP, do not skip testing first
    • We have not evaluated other hypervisors

Research Computing Environments:

  • What: These environments may be the most problematic. They tend to be multi-tenant (elevated risk) and performance-critical. Begin or continue to evaluate the potential performance impacts in your environment and develop a plan to address ASAP. FAS RC is working on this and we will share their strategy as it develops.
  • When: patch “as soon as practical” (as soon as you have a well-tested plan in place)
  • Considerations: see above with respect to performance

Leave a Reply

Your email address will not be published. Required fields are marked *