What You Need to Know About Spectre and Meltdown

It’s 2018 and we are already starting the new year off with two new security risks with the recent processor vulnerabilities called Meltdown and Spectre. On Tuesday January 2, security researchers published a significant finding whereby a flaw in nearly all modern microprocessor chips allow for attackers to gain varying levels of access into protected kernel memory areas. The kernel is the core of a computer’s operating system with complete control over everything on the computer system. Fixes for many OS’s are available in the form of a security patch.

How serious is this?
Meltdown is “probably one of the worst CPU bugs ever found” according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention. The underlying issue with Meltdown is that anything that runs as an application could potentially steal your data, including passwords and javascript from a web page viewed in a browser.

Spectre is more difficult for hackers to take advantage of but is also more difficult to fix, and is expected to be a bigger problem in the long term.

Who is affected?
These two major flaws in computer chips could leave a huge number of computers and smartphones vulnerable to security concerns, potentially allowing an attacker to read sensitive data stored in the memory. Almost every computing system (desktops, laptops, smartphones, and cloud servers) — is affected by the Spectre bug. Meltdown appears to be specific to Intel, impacting all Intel systems from laptops to servers.

National Cyber Security Centre Guidance:

https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance

US-CERT (United States Computer Emergency Readiness Team) has a helpful list of affected vendors and links to associated remediation steps:
https://www.us-cert.gov/ncas/alerts/TA18-004A

Intel Firmware Update
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Microsoft released an update for devices running Windows 10
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892

Potential impact on processors in the IBM Power family (patches available January 9th)
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Linux system administrators should examine the Linux Kernel Mailing List (LKML) website:
https://lkml.org/lkml/2017/12/4/709

Redhat system administrators should examine this website (which is updated routinely): [8]
https://access.redhat.com/security/vulnerabilities/speculativeexecution?sc_cid=701f2000000tsLNAAY

Suse system administrators should examine this website:
https://lists.suse.com/pipermail/sle-security-updates/2018-January/003562.html

Users and administrators are urged to update their computers with the latest security fixes as soon as possible. We also encourage users to refer to their OS vendors for the most recent information. Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.

Champion is ready to help you evaluate your patching strategy and give you best practices around mitigating risk on this most current security issue. Learn more about our security capabilities at: https://www.championsg.com/services/security

PREV

Importance of Data Lifecycle Management

NEXT

IBM i OS End of Support for v7.1.x in April 2018

WRITTEN BY:

Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.

 

Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.

 

Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!

 

As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.

 

He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.

 

Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.

 

Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.

 

In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.

 

Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.