New vulnerabilities in computer chips leak passwords and sensitive data.
There are a couple new and potentially serious security risks in town and they are called Meltdown and Spectre. You need to have a plan of action as soon as possible to protect yourself because these are different - and not in a good way. If you have an IT provider, they should have already alerted you and considered the best way to ease your company into a way to safeguard against these potential attacks.
How does Meltdown and Spectre create a threat?
Meltdown and Spectre exploit critical vulnerabilities in modern processors including the ubiquitous Intel and AMD chips. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Who is affected?
Everybody is affected - Meltdown and Spectre work on personal computers, mobile devices, and in the cloud (yes, even cloud servers that have not been safeguarded are vulnerable). Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
This threat is virtually undetectable and anti-virus won’t likely be able to stop it. Microsoft has released a patch but it requires a change in the Registry and compatible anti-virus.
Its not good folks, but to make it more difficult – the patches are causing some slow downs and there are some compatibility issues amongst anti-virus and security software that have to be checked before applying the Microsoft patch. Furthermore, it is highly recommended that all computing devices get their firmware (BIOS) and all browsers updated to the newest versions.
So there are complications to the proper way to approach patching these threats and we would advise that you have a professional check it out. The worst thing any one can do is ignore this warning and do nothing, the bad guys won’t.
Who reported Meltdown?
Meltdown was independently discovered and reported by three teams:
Jann Horn (Google Project Zero),
Werner Haas, Thomas Prescher (Cyberus Technology),
Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)
Who reported Spectre?
Spectre was independently discovered and reported by two people:
Jann Horn (Google Project Zero) and
Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)
More technical information about Meltdown and Spectre
See Google Project Zero blog entry about both attacks at https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html.
If you need assistance, give us a call at EDM Automation 757-296-7184.
Lee Nelson Senior Solutions Architect