On January 3rd, three new vulnerabilities were disclosed. These vulnerabilities take advantage of how various CPU’s handle processing in order to return a faster result.
The technical details for Spectre and Meltdown are addressed by the papers linked to their names above. And some POC’s from the Project Zero team.
A few observations on how the industry is addressing this issue…and a few points of interest that I’ve found along the way. First, let’s note that the CVE’s for these are 2017…when in 2017? We don’t know. But the catchy domain names were registered around the third week in December, 2017.
The full vendor matrix at CERT – this is always worth watching, and there are some useful tips for cloud implemenations via Amazon and Microsoft Azure:
Operating system manufacturers:
Apple
- Will release updates for Safari and iOS in coming days. Some speculation that iOS on Mac’s that is 10.13.2 or higher has some protection from one or more variants – not verified
- https://support.apple.com/en-us/HT208394
Windows
- Patches are available for Windows 10 as of January 3rd. Other patches are anticipated to be available on Patch Tuesday, January 9th.
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
- https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
Linux
- Kernel already patched
- https://lkml.org/lkml/2017/12/4/709
Some antivirus solutions are causing blue screens after application of these patches:
- https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released
This is particularly interesting to me – the browsers. I did not expect to see the browser patch bandwagon to be as rapid as it has been:
Firefox
- Partial, short term mitigations already in place – full patch ETA is unknown
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
Internet Explorer
- Patches available for supported browsers
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Safari
- Will be addressed in approximately the same timeframe as Apple iOS patches – current ETA unknown
Chrome
- Chrome patches have an ETA of January 23rd. Google recommends turning on Site Isolation as a mitigation in the meantime
- https://support.google.com/faqs/answer/7622138
The long and short. Is the sky falling? Probably not. If you have solutions that are hosted with a cloud provider, check in with them. What are their recommended mitigations, and have you implemented them? In an enterprise environment, do your due diligence on patches. Patch in your test environment first, and research your antivirus solution for potential impact.
And I believe I’m paraphrasing the excellent Graham Cluley. Calm down, make a cup of tea – although mine is salted caramel coffee. Patch during your normal cadence for critical patches, and keep the ship afloat!