“Keep Calm and Carry On.” Originally used in World War II-era motivational posters from the British government before becoming an Internet meme, this catchphrase is actually very good advice for those feeling uneasy about the recent revelations of significant security flaws in central processing units (CPUs).
The vulnerabilities, known as Meltdown and Spectre, could allow an attacker to access a system’s kernel memory to steal passwords, financial information and other sensitive data. While the Meltdown flaw appears to be exclusive to Intel chips, Spectre affects Intel, AMD and ARM processors. Collectively, they impact virtually every system with a modern processor, including smartphones, desktops, laptops and cloud servers — regardless of the operating system they run.
The flaws were made public in the first week of January, generating a fair amount of panic in the tech world. Some analysts quickly labeled them the “worst bugs ever found.” Two major government-backed cybersecurity bodies — the Computer Emergency Readiness Team (CERT) and the Software Engineering Institute — initially labeled the flaws as unfixable and warned that they would require total hardware replacement. (Recognizing that this isn’t a practical solution, both groups have modified their guidance to recommend applying software updates.)
While these flaws are certainly serious and require attention, there’s no need to panic. Software patches that can mitigate the risks are rapidly being pushed out to end-users, and leading security vendors say there have been no observed cases of malware that is capable of exploiting the vulnerabilities. In fact, researchers say the vulnerabilities will be difficult to exploit.
In the long term, the flaws will likely result in a rethinking of chip design. However, it will probably be a few years before new CPU designs are ready for the marketplace. In the meantime, vendors will continue to develop and refine guidance and patches for mitigating risk.
Following is a list of the systems we've identified, along with the patch level or version, that we strongly recommend customers address:
Apple has released updates for Mac and iOS devices.
- iOS (11.2.2), macOS 10.13.3, and tVOS (11.2.1)
- Safari on macOS and iOS patches will be released soon
Google has released updated security patches for Android devices and browsers. Owners of Android phones will need to make sure they download the latest security updates available.
- Android phones
- Google Apps like Gmail or Drive
- Google Chrome web browser
- Google Home smart speaker
- Google Chromecast
Microsoft is releasing emergency patches.
- Windows 10 is available immediately through Windows update
- Windows 7 or Windows 8 won't receive updates until Jan. 9, 2018
- Windows Surface Pro and Surface Book have available updates
- Windows 2008 — Not available
- Windows 2008 R2 — Available
- Windows 2012 & R2 — Available
- Windows 2016 — Available
Some Linux patch releases are available.
- RHEL has released a new kernel security patch to address multiple variants of their OS (including CentOS). Please check the Red Hat site for new packages.
Web browsers should be checked and updated as appropriate.
- Chrome's security update should be on version 63.
- Firefox's security update should be on version 57.0.4.
Fortinet is still investigating the effects of these attacks on its security platforms. Please visit the following PSIRT for the latest updates: https://fortiguard.com/psirt/FG-IR-18-002
Cisco is still investigating the effects of these attacks on its Meraki platforms. Please visit the following URL for the latest updates: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
We recommend that our customers “Keep Calm and Carry On” by adhering to security best practices, ensuring that antivirus and antimalware solutions are up to date, applying patches for both business and personal devices, and checking regularly for new updates. We’ll continue to keep our customers updated on any changes to this threat, and will continue to work toward implementing the appropriate fixes within SageNet's environment as well.
If you have questions please contact your SageNet Program Manager or email Security Operations Center, firstname.lastname@example.org.