Kristofer LaxdalAhhhhh that Glenn Fry Billboard Top 10 Hit song from 1984’s highest grossing film Beverly Hills Cop.
The race to patch against the Meltdown and Spectre processor vulnerabilities disclosed last week is underway and amid the chaos and confusion surrounding the issues – one thing is for sure – ‘The Heat is On’ as we Meltdown into what will surely one be the highest expenditure related vulnerabilities to mitigate since that mid-80s classic film was released, given that these vulnerabilities affect the processors present in almost all modern computing devices, including personal computers, servers, cloud infrastructure, phones and tablets – with some IoT devices being incapable of being patched at all!
Let’s break down the vulnerabilities to provide some order to the chaos.
The Meltdown Vulnerability:
CVE-2017-5754 can potentially allow hackers to bypass the hardware barrier between applications and kernel or host memory. A malicious application could, therefore, access the memory of other software, as well as the operating system. Any system running on an Intel processor manufactured since 1995 (except Intel Itanium and Intel Atom before 2013) is affected.
An excellent resource can be found at meltdownattack.com, which provides a listing of major vendor’s information security advisories and a glimpse of the Meltdown exploit in action!
The Spectre Vulnerability:
Has two variants: CVE-2017-5753 and CVE-2017-5715. These vulnerabilities break isolation between separate applications. An attacker could potentially gain access to data that an application would usually keep safe and inaccessible in memory. Spectre affects all computing devices with modern processors manufactured by Intel or AMD, or designed by ARM.
Does this impact my company’s internal IT infrastructure or my personal computing devices?
Simply stated – Yes.
The vulnerabilities are present on all devices with effected CPUs, including desktops, laptops, servers, cloud infrastructure, and mobile devices.
However, operating system and software patches mitigate the risks posed by Meltdown and Spectre.
So, get to patching your company assets and personal devices, rinse and repeat 😊.
Meanwhile, the bad guys will be looking to design exploits for Meltdown and Spectre —if they haven’t already.
So far there is no evidence that exploits against the vulnerabilities are in the wild, however, if an attacker is well-funded and motivated – think bitcoin/blockchain hacking – we may indeed see a further rise in temperature…
The Prophix Approach
At Prophix, we have automated vendor patching both internally and within our Prophix Cloud SaaS offering, immediately responding to and mitigating the risks posed by Meltdown and Spectre across our service offering.
From initial patch releases on January 3rd, 2018 our underpinning Cloud Infrastructure Provider, AWS, began ensuring all systems were patched at the microcode level.
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
After initial testing, our automated patching ensured all operating system patches were deployed with complete coverage attained in less than 72 hours!
‘The Heat is On’ in the race to deploy patches globally, however, things are a lot cooler by leveraging the power of the cloud, automation and Prophix Cloud SaaS.
Prophix
