The Heat is On

Security Spotlight: Meltdown and Spectre ♬ ♫ The Heat is On ♬ ♫

Ahhhhh that Glenn Fry Billboard Top 10 Hit song from 1984’s highest grossing film Beverly Hills Cop.

The race to patch against the Meltdown and Spectre processor vulnerabilities disclosed last week is underway and amid the chaos and confusion surrounding the issues  – one thing is for sure –  ‘The Heat is On’ as we Meltdown into what will surely one be the highest expenditure related vulnerabilities to mitigate since that mid-80s classic film was released, given that these vulnerabilities affect the processors present in almost all modern computing devices, including personal computers, servers, cloud infrastructure, phones and tablets – with some IoT devices being incapable of being patched at all!

Let’s break down the vulnerabilities to provide some order to the chaos.

Breaking down the vulnerabilities
Breaking down the vulnerabilities

The Meltdown Vulnerability:

CVE-2017-5754 can potentially allow hackers to bypass the hardware barrier between applications and kernel or host memory. A malicious application could, therefore, access the memory of other software, as well as the operating system. Any system running on an Intel processor manufactured since 1995 (except Intel Itanium and Intel Atom before 2013) is affected.

An excellent resource can be found at meltdownattack.com, which provides a listing of major vendor’s information security advisories and a glimpse of the Meltdown exploit in action!

The Spectre Vulnerability:

Has two variants: CVE-2017-5753 and CVE-2017-5715. These vulnerabilities break isolation between separate applications. An attacker could potentially gain access to data that an application would usually keep safe and inaccessible in memory. Spectre affects all computing devices with modern processors manufactured by Intel or AMD, or designed by ARM.

Does this impact my company’s internal IT infrastructure or my personal computing devices?

Simply stated – Yes.

The vulnerabilities are present on all devices with effected CPUs, including desktops, laptops, servers, cloud infrastructure, and mobile devices.

However, operating system and software patches mitigate the risks posed by Meltdown and Spectre.

So, get to patching your company assets and personal devices, rinse and repeat 😊.

Meanwhile, the bad guys will be looking to design exploits for Meltdown and Spectre —if they haven’t already.

So far there is no evidence that exploits against the vulnerabilities are in the wild, however, if an attacker is well-funded and motivated – think bitcoin/blockchain hacking – we may indeed see a further rise in temperature…

The Prophix Approach

At Prophix, we have automated vendor patching both internally and within our Prophix Cloud SaaS offering, immediately responding to and mitigating the risks posed by Meltdown and Spectre across our service offering.

From initial patch releases on January 3rd, 2018 our underpinning Cloud Infrastructure Provider, AWS, began ensuring all systems were patched at the microcode level.

https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

After initial testing, our automated patching ensured all operating system patches were deployed with complete coverage attained in less than 72 hours!

‘The Heat is On’ in the race to deploy patches globally, however, things are a lot cooler by leveraging the power of the cloud, automation and Prophix Cloud SaaS.

Kristofer Laxdal

Experienced Director Information Security with a demonstrated history of working in the computer software industry. Strong engineering professional skilled in ISO 27001, Vulnerability Management, IT Service Management, IT Strategy, and Data Center.

Download the Prophix CPM Overview
CPM Overview

Let’s Stay Connected!

Sign up to get the lastest Prophix blog

Archives