On January 3, 2018 information about three vulnerabilities in computer processors was made public (https://meltdownattack.com/ ). Collectively, these have been dubbed “Meltdown” (CVE-2017-5754) and ”Spectre” (CVE-2017-5753 and CVE-2017-5715). Many vendors have had this information previous to the disclosure and have released patches or are planning to do so soon. Others have begun work on them.

While these are effectively information disclosure vulnerabilities (though in the case of Meltdown it can lead directly to privilege escalation), they are fairly serious with potential impacts including guest virtual machines being able to steal data from other virtual machines and malicious JavaScript running in a browser to access sensitive information like passwords. Note that multi-tenant environments such as VMware or Hyper-V virtualization servers or Remote Desktop Protocol servers are at elevated risk and should be addressed immediately.

This is a complicated set of vulnerabilities and remediation is neither simple nor consistent across platforms. Further complicating this is the fact that some of the patches are reported to have performance impacts of up to 30%. The Information Security Office offers the following guidance on a per-platform basis, including suggested priority in applying available patches and considerations before proceeding. If you have further questions, please email security@utexas.edu.

Windows Workstations:

• What: Apply Microsoft patches (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 )
• When: patch “soon”: by next patch cycle or end of month, whichever is sooner
• Considerations:
  • See Microsoft advisory at https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in noting that your anti-virus software must be up to date and that there may be additional firmware updates required
  • Test the patches thoroughly for compatibility with anti-virus and performance before you deploy to your environment

Apple Workstations:

• What: macOS 10.13.2 (“High Sierra”) is the only version for which a patch is currently available (https://support.apple.com/en-us/HT208394 ). It is not clear when or if patches for other versions will be available. Ensure that 10.13 users are on 10.13.2 and consider upgrading other users.
• When: patch “as soon as practical” (this patch cycle or this month, whichever is sooner for 10.13, and when available or when you can upgrade for others)
• Considerations: patches are currently only available for High Sierra

Web Browsers:

• What: patch as updates are available from browser vendors, currently:
  • Firefox 57.0.4 and 52 ESR contain mitigations
  • IE/Edge are patched in KB4056890 (Windows 10) or KB4056568 (for IE on Windows 7 and 8)
  • Safari 11.0.2 is out for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
  • Google will release Chrome 64 on January 23 with a patch
• When: patch “as soon as practical” (as updates come out, and look to iterate this patching as new releases come out across the browsers)
• Considerations: patches will likely continue to come out from the vendors in at least the near term

Mobile Devices (iOS/Android):

• What: patch as updates are available from vendors, currently:
  • iOS 11.2.2 includes a patch for Meltdown and Spectre.
  • Android’s January security release will include patches for both.
• When: patch “soon” (within a month of patch release)
• Considerations: N/A

Windows Servers:

• What: Apply Microsoft patches (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 )
• When: patch “soon”: by next patch cycle or end of month, whichever is sooner
• Considerations:
  • If you run a Hyper-V or RDP server, guidance is PATCH NOW
  • See Microsoft advisory at https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution noting that there may be additional firmware updates required and that changes to the registry may be necessary
  • Ensure your anti-virus program is up-to-date before you patch
  • Test the patches thoroughly for compatibility with anti-virus and performance before you deploy to your environment

Linux Servers:

• What: patch as updates are available from vendors, currently:
  • RedHat (/CentOS): https://access.redhat.com/errata/RHSA-2018:0007
  • Amazon Linux: https://alas.aws.amazon.com/ALAS-2018-939.html
  • Ubuntu: no patch available yet: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
• When: patch “soon”: by next patch cycle or end of month, whichever is sooner
• Considerations: Test the patches thoroughly for performance before you deploy to your environment

Cloud Environments:

• What: Amazon Web Services and Microsoft Azure have applied patches to their environments. Customers must still apply patches to their operating systems (see relevant “Servers” section herein).
• When: N/A
• Considerations: N/A

Virtualization Environments (VMware, Hyper-V):

• What: Apply vendor patches with urgency
  • VMware: https://www.vmware.com/security/advisories/VMSA-2018-0002.html
  • Microsoft Hyper-V: see “Microsoft Servers” above
• When: patch “NOW”: AS SOON AS POSSIBLE
• Considerations:
  • While this should be patched ASAP, do not skip testing first
  • We have not evaluated other hypervisors

Research Computing Environments:

• What: These environments may be the most problematic. They tend to be multi-tenant (elevated risk) and performance-critical. Begin or continue to evaluate the potential performance impacts in your environment and develop a plan to address ASAP. FAS RC is working on this and we will share their strategy as it develops.
• When: patch “as soon as practical” (as soon as you have a well-tested plan in place)
• Considerations: see above with respect to performance