Meltdown and Spectre Vulnerabilities


On Jan 3, 2018, a group of security researchers disclosed new security vulnerabilities that affect most CPU’s that are found in computers, tablets, smart phones and Internet connected devices such as smart washing machines. These vulnerabilities are called Meldown and Spectre.  Neither has been proven to be able to delete or alter data, although in theory, a compromised device could allow some data to be read, which might include passwords. There have not been any known instances of any malware that exists that could be used to exploit these vulnerabilities as of this date.

Intel is downplaying the severity of the issues while others are claiming the risk is huge. Sound confusing? No kidding.

What Could Happen

In order for the malicious code to gain access to the CPU, the computer or device must first be compromised by malware, which is typically injected when users click on Phishing links found in email or browse to infected websites. Microsoft did rush to release some patches that block access to the CPU but almost immediately users complained of blue screen failures and conflicts with some applications, leading Microsoft to restrict which computers will receive these patches. Microsoft has advised that the patches will change the way Windows talks to the CPU and that all devices will suffer some level of a performance hit. It is expected that server performance will be the most seriously impacted.

We have confirmed that SonicWall firewalls are not affected by these issues based on the CPU’s they use and the way their operating system works, so BSC’s clients with SonicWall firewalls at least know they are not vulnerable to anonymous attacks via the Internet on their firewalls.

What to do next?

BSC Supported Equipment: BSC will continue to monitor multiple sources and will propose different actions for different clients, depending on their hardware and software in use.

Smart Phones: You should receive prompts to update your phone and should approve and apply these updates as soon as possible.

Personal Computers: Ensure your anti-virus software is running a current version and is up to date. Then apply all Windows Updates to your computer.

This is not going to be a quick fix as so many different types of equipment are affected. Some will never get patched and we will have to live with the risk until the equipment is replaced at some point in the future.

Be vigilant in spotting phishing email and avoid websites you are not familiar with. If you are viewing email on your phone and are uncertain about a link, wait to view the link on a computer. Hover over the link to verify the true path and that it is legitimate, before clicking on it.

Let us know if you have any questions or concerns or would like additional clarification.

Now, more than ever, employee IT security awareness training is a critical component to keeping your data and computer network as secure as possible.  Contact us to learn about our affordable, award-winning education program.