This week, details have emerged on serious flaws in processors that allows hackers to steal sensitive data, including passwords and banking information. The vulnerabilities – dubbed Meltdown and Spectre – are known to affect ARM, AMD and other chips.
Meltdown is easier to exploit. While the news has become public this week, some tech companies have known about these vulnerabilities for months while working on fixes and mitigations. One of the downsides of these mitigations is that the fix may slow down your device.
Who is at risk of an attack?
Anyone who has a device (laptop, desktop, server, mobile phone, tablet, etc.) less than 20 years old.
AMD chips power nearly all personal computers and the computers used in data centers, including those that power online services and cloud computing services. ARM chips power many smartphones and embedded devices.
Look out for security updates!
Every PC, laptop and smartphone user needs to update multiple pieces of software on their device to protect against these vulnerabilities.
- Look out for security updates from suppliers that run software on these devices, like Microsoft Windows, or Apple’s iOS. Here is a good resource with an updated list of patches.
- Check with your open source operating system vendor or system manufacturer and apply any available updates as soon as they are available.
- Some internet browsers may be affected. Mozilla said its internal experiments have confirmed it is possible to use techniques that are similar to Meltdown and Spectre on web content. Look out for updates for Google Chrome and Mozilla Firefox.
- This is much scarier in the cloud, where the same server could be working for dozens of people at once. Service providers such as Amazon, Microsoft and Google are working to patch the servers used in their data centers. Users may experience down time.
How should my team protect against future vulnerabilities?
Follow good security practices. Protection against malware may help protect against possible exploitation until updates can be applied.
PATCH PATCH PATCH! Always keep your software updated. This applies not only to software you buy, but also to open source software your developers use to build code. Staying informed about software vulnerabilities can be a challenge– take advantage of advisories and alerts offered by research teams such as Secunia Research.
Here is the set of all Secunia Research Advisories, to date, related to the Meltdown and Spectre CVEs:
SA80843, SA80836, SA80856, SA80866, SA80883, SA80887, SA80921, SA80907, SA80874, SA80900, SA80927, SA80938
SA80103, SA80104, SA80839, SA80899, SA80857, SA80843, SA80836, SA80856, SA80866, SA80883, SA80887, SA80921,
SA80907, SA80874, SA80927
SA80942, SA80941, SA80955, SA80933, SA80915, SA80890, SA80900, SA80855, SA80873, SA80872, SA80901, SA80839,
SA80856, SA80866, SA80883, SA80887, SA80921, SA80907, SA80874, SA80927
Speed up the process of identifying, prioritizing and fixing software vulnerabilities to stay ahead of hackers. Don’t let unmanaged Open Source Software be your weakest link.
Back up your data. Always have a secure copy of your data outside your facility, in case of a breach.
This will not be the last vulnerability. And like other ones in the recent past (WannaCry, Heartbleed, and Apache Struts come to mind), it will leave a long trail of unpatched, vulnerable systems in its wake. To stay secure, patch your systems as soon as updates are released.
In a world where software is shared widely and is so interconnected, investing in software security and cooperating across the software industry should be the new mindset. Companies should no longer see security as an overhead but as a competitive advantage. As the world has come to depend on these products, both businesses and consumers should demand nothing less.
By: Ritu Kapoor