Spectre and Meltdown Vulnerabilities for IT Professionals

Update 1/9/2017:

 

Microsoft has temporarily halted distribution of the patch cluster after receiving multiple reports of AMD based systems becoming unbootable following the patching. If you are performing patch distribution via enterprise mechanisms such as LANDesk, this halt will of course not affect you, but you may want to take it into account before broadly applying the patch.
 
Microsoft’s official announcement is located at https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices - we strongly encourage you to track this issue if you choose to delay patching some or all of your environment based on this information.

 

 

On January 3, 2018 information about three vulnerabilities in computer processors was made public (https://meltdownattack.com/ ). Collectively, these have been dubbed "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 and CVE-2017-5715). Many vendors have had this information previous to the disclosure and have released patches or are planning to do so soon. Others have begun work on them.

While these are effectively information disclosure vulnerabilities (though in the case of Meltdown it can lead directly to privilege escalation), they are fairly serious with potential impacts including guest virtual machines being able to steal data from other virtual machines and malicious JavaScript running in a browser to access sensitive information like passwords. Note that multi-tenant environments such as VMware or Hyper-V virtualization servers or Remote Desktop Protocol servers are at elevated risk and should be addressed immediately.

This is a complicated set of vulnerabilities and remediation is neither simple nor consistent across platforms. Further complicating this is the fact that some of the patches are reported to have performance impacts of up to 30%. Harvard Information Security offers the following guidance on a per-platform basis, including suggested priority in applying available patches and considerations before proceeding. If you have further questions, please email ithelp@harvard.edu and note that this is an Information Security question.

Windows Workstations:

Apple Workstations:

  • What: macOS 10.13.2 ("High Sierra") is the only version for which a patch is currently available (https://support.apple.com/en-us/HT208394 ). It is not clear when or if patches for other versions will be available. Ensure that 10.13 users are on 10.13.2 and consider upgrading other users.  NOTE (1/8/2018) that 10.13.2 Supplemental Update includes mitigations for Spectre (https://support.apple.com/en-us/HT208397 ). 
  • When: patch "as soon as practical" (this patch cycle or this month, whichever is sooner for 10.13, and when available or when you can upgrade for others)
  • Considerations: patches are currently only available for High Sierra

Web Browsers:

  • What: patch as updates are available from browser vendors, currently:
    • Firefox 57.0.4 and 52 ESR contain mitigations
    • IE/Edge are patched in KB4056890 (Windows 10) or KB4056568 (for IE on Windows 7 and 8)
    • Apple will be releasing a patch for Safari soon
    • Google will release Chrome 64 on January 23 with a patch
  • When: patch "as soon as practical" (as updates come out, and look to iterate this patching as new releases come out across the browsers)
  • Considerations: patches will likely continue to come out from the vendors in at least the near term

Mobile Devices (iOS/Android):

  • What: patch as updates are available from vendors, currently:
    • iOS 11.2 includes a patch for Meltdown. NOTE (1/8/2018) that iOS 11.2.2 includes mitigations for Spectre (https://support.apple.com/en-us/HT208401 ).
    • Android's January security release will include patches for both.
  • When: patch "soon" (within a month of patch release)
  • Considerations: N/A

Windows Servers:

Linux Servers:

Cloud Environments:

  • What: Amazon Web Services and Microsoft Azure have applied patches to their environments. Customers must still apply patches to their operating systems (see relevant "Servers" section herein).
  • When: N/A
  • Considerations: N/A

Virtualization Environments (VMware, Hyper-V):

  • What: Apply vendor patches with urgency
  • When: patch "NOW": AS SOON AS POSSIBLE
  • Considerations:
    • While this should be patched ASAP, do not skip testing first
    • We have not evaluated other hypervisors

Research Computing Environments:

  • What: These environments may be the most problematic. They tend to be multi-tenant (elevated risk) and performance-critical. Begin or continue to evaluate the potential performance impacts in your environment and develop a plan to address ASAP. FAS RC is working on this and we will share their strategy as it develops.
  • When: patch "as soon as practical" (as soon as you have a well-tested plan in place)
  • Considerations: see above with respect to performance
See also: Security Alerts