Patching Spectre and Meltdown Vulnerabilities
Discovered in 2017, and publicized in 2018, Spectre and Meltdown are two new vulnerabilities in how certain microchips were designed.1, 2
These vulnerabilities place information stored in memory (e.g. passwords, email, web browsing information, documents, etc.) at risk of theft.2
For Spectre to be exploited, a device must have a vulnerable processor. Security researchers have verified Spectre can be exploited “on Intel, AMD, and ARM processors.”2
For Meltdown to be exploited, a device (laptop, desktop, server, smartphone, etc.) must have a vulnerable processor and the Operating System (OS) running on that device must be unpatched. While not all of the details are currently known, security researchers have verified that many Intel processors are vulnerable.2
Because the vulnerabilities lie in the processors, a complete fix which does not incur a degradation in system performance may rely on the processors being redesigned.3, 4, 5
IT administrators should not wait to do something about this. Many companies including Microsoft and Apple are releasing software updates to help patch these vulnerabilities.6, 7
A number of hardware vendors are releasing firmware updates (including but not limited to BIOS updates). Updating firmware (i.e. micro code) is a step necessary to mitigate the risk of Spectre or Meltdown being exploited and a systems best practice in that systems should be updated with the most recent release (production) security updates.8
It is important to note, that using the wrong BIOS or firmware update for your hardware may result in the hardware becoming unusable.9
Additionally, if the device loses power during a BIOS of firmware update your hardware may become unusable.9, 10
Each hardware, OS, and software vendor is responsible for providing their own patch. It has been reported that some updates may slow down device performance.11
Intel has published benchmarks showing the difference in device performance for a “Fully Mitigated System” vs a “Non Mitigated System at 100%” which can be read at https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf.12
Microsoft has released patches, but in order for your computer to see those patches it must have a supported anti-virus product installed and that supported anti-virus must create a special marker for Microsoft to confirm that your anti-virus will support the new Microsoft patches. If the special marker does not exist, “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities.”6
According to one security researcher, here is a list of anti-virus products that have updates to protect against one or both of these vulnerabilities but do not as of 8 January 2018, automatically create the special marker.13
- AhnLab Internet Security (V3 family)
- BitDefender GravityZone Endpoint Security for Windows
- Carbon Black
- Cisco AMP
- CrowdStrike Falcon
- Cylance PROTECT
- Cylance PROTECT Home
- Cyren F-PROT
- Endgame
- FireEye Endpoint Security
- Fortinet Endpoint Security
- McAfee Endpoint Protection
- Nyotron PARANOID
- Palo-Alto TRAPS
- Panda
- QuickHeal Endpoint Security
- SentinelOne EPP
- Trend Micro
- Webroot WSA
If you use one of the above listed anti-virus programs and you are unsure or uncomfortable with manually creating the special marker yourself, please contact your IT provider.
- https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
- https://meltdownattack.com/
- https://www.theregister.co.uk/2018/01/09/intel_boss_ces_keynote_spectre/
- http://www.zdnet.com/article/spectre-and-meltdown-insecurity-at-the-heart-of-modern-cpu-design/
- https://www.nytimes.com/2018/01/03/business/computer-flaws.html
- https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
- https://support.apple.com/en-us/HT208394
- http://www.dell.com/support/contents/us/en/04/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre
- https://www.howtogeek.com/126665/htg-explains-what-does-bricking-a-device-mean/
- https://www.dell.com/support/article/us/en/04/sln284433/what-is-bios-and-how-to-update-the-bios-on-your-dell-system
- https://www.kb.cert.org/vuls/id/584653
- https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf
- http://www.zdnet.com/article/windows-meltdown-spectre-fix-how-to-check-if-your-av-is-blocking-microsoft-patch/