In the last couple of days, the nature and scale of two similar security flaws in computer processors (CPU) have come to light. They are “Meltdown” and “Spectre”. Between then they affect nearly all CPUs produced in the last 10 years and there’s a scramble for emergency patches to operating systems/Hypervisors such as Windows, Linux, and VMWare. It also requires a firmware update from the machine’s manufacturer.
The security flaws allow applications to access what should be secure memory locations. “Meltdown” only affects Intel CPUs, whereas “Spectre” affects Intel, AMD and ARM branded CPUs. Broadly speaking this means application X can potentially access information relating to application Y. If application X is malicious, it can exploit this to circumvent normal security protections.
The UK’s National Cyber Security Centre (part of GCHQ) has responded by saying:
“We are aware of reports about a potential flaw affecting some computer processors.”
“At this stage, there is no evidence of any malicious exploitation and patches are being produced for the major platforms.”
“The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”
Take Action Now
This isn’t a case of not worrying because everyone is in the same boat. It must be fixed – ask your IT today what their plans are for doing so.
There is one other thing to bear in mind. A final fix will have a performance impact for some machines, depending on the age of their CPU and the kind of workloads it runs. Newer chips may have fewer issues, while high-frequency system calls from processes like SQL servers are more likely to suffer. If you see this, it might not be your imagination, so make sure you raise it for discussion with your IT support.
There will be a number of patches and hotfixes to address these issues over the coming week. Riverbank will roll out approved security updates to all clients at the earliest opportunity. We’ll also keep engaged with our users over any performance changes after the patches, so these can be addressed.
If you would like to know more about the Meltdown and Spectre vulnerabilities and how they might affect you, please contact us at firstname.lastname@example.org or on 01235 426 700. Or fill out your details below.