The Meltdown and Spectre vulnerabilities are the first big web based security news of the year, and we’re only in the first week of 2018!
It’s big news and it should be, the vulnerabilities potentially affect all Intel chips used in servers, PC’s, laptops, mobiles and tablets as well as some CPUs from other manufacturers such as AMD and ARM.
Firstly don’t panic!
It is worth noting that these vulnerabilities have been detected primarily by Google’s own internal Project Zero team. As such there are no known exploits in the wild today and exploiting Meltdown and Spectre on specifically targeted data would be difficult due to the nature of the vulnerabilities.
Does it affect Hallnet / Active Housing Customers?
We host all of our data on Amazon Web Services (AWS) virtual servers and as with most providers, their underlying infrastructure relies on the affected CPUs. The good news is that Amazon have acted quickly and released security patches to mitigate these vulnerabilities.
What we have done?
To ensure our systems are as secure as possible we have rescheduled our standard security updates to align with the AWS and Ubuntu security patches. Our aim is to apply patches within a day or two of them being released. It’s possible that the patches will negatively affect the performance of servers so we will also be closely monitoring all of the infrastructure that we manage over the next few days to ensure that any potential issues can be managed.
What should you do?
In order to protect against any future exploits of these vulnerabilities, it’s important to apply any security updates released for your operating systems and devices as soon as they are released.
Updates are expected in the next few days and weeks from Apple (https://support.apple.com/en-us/HT208394), Microsoft (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002), Google (https://support.google.com/faqs/answer/7622138) and others.
To learn more about the Intel Meltdown and Spectre vulnerabilities you can visit: http://www.bbc.co.uk/news/technology-42562303 or read the original release from Project Zero at Google who discovered the issue (warining: very technical): https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html