Threat Update: Meltdown and Spectre Side-Channel Vulnerabilities
January 4, 2018
Herjavec Group is aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information.
Users and administrators are encouraged to review Vulnerability Note VU#584653, Microsoft's Advisory, and Mozilla's blog post for additional information and refer to their OS vendor for appropriate patches.
Firefox has released an advisory confirming web-based exploitation is possible and has released this update. We will provide additional information as it becomes available.
For additional resources, we recommend reading through the following updates:
- A summary of performance impacts from the mitigations.
- Google's What you need to know blog posting.
- Various cloud providers have provided updates: Amazon, Azure, Linode,
- A statement from Intel that fixes are on the way.
- Intel has published a white paper [PDF] on the vulnerabilities.
- AMD's update and ARM's update on which processors are vulnerable.
- General distributor/project updates (other than specific package alerts): Chromium, Mozilla, Qubes, Red Hat, SUSE, Ubuntu,Xen, Fedora, Xen FAQ,
- Kernel patches: retpoline, IBRS control (for indirect branch speculation), speculative read inhibition. We'll be looking at these in detail soon.
For more information please connect with a Herjavec Group security specialist.
Herjavec Group circulates US – CERT advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.