Spectre and Meltdown Vulnerabilities for IT Professionals

Updated 1/26/2017: While patching continues, especially for the "Spectre" vulnerabilities, we are going to stop updating this page as of 1/26.  IT professionals should pay attention to firmware/microcode updates and *test them thoroughly* before considering deployment.  Be on the look out for, and continue to apply, patches for web browsers and operating systems.

On January 3, 2018 information about three vulnerabilities in computer processors was made public (https://meltdownattack.com/ ). Collectively, these have been dubbed "Meltdown" (CVE-2017-5754) and "Spectre" (CVE-2017-5753 and CVE-2017-5715). Many vendors have had this information previous to the disclosure and have released patches or are planning to do so soon. Others have begun work on them.

While these are effectively information disclosure vulnerabilities (though in the case of Meltdown it can lead directly to privilege escalation), they are fairly serious with potential impacts including guest virtual machines being able to steal data from other virtual machines and malicious JavaScript running in a browser to access sensitive information like passwords. Note that multi-tenant environments such as VMware or Hyper-V virtualization servers or Remote Desktop Protocol servers are at elevated risk and should be addressed immediately.

This is a complicated set of vulnerabilities and remediation is neither simple nor consistent across platforms. Further complicating this is the fact that some of the patches are reported to have performance impacts of up to 30% (NOTE that subsequent benchmarks have demonstrated significantly less impact in many cases). Harvard Information Security offers the following guidance on a per-platform basis, including suggested priority in applying available patches and considerations before proceeding. If you have further questions, please email ithelp@harvard.edu and note that this is an Information Security question.

Windows Workstations:

Apple Workstations:

  • What: macOS 10.13.2 ("High Sierra") was patched as of 1/9 (https://support.apple.com/en-us/HT208394 ).  Ensure that 10.13 users are on 10.13.2 or newer and consider upgrading other users.  NOTE (1/8/2018) that 10.13.2 Supplemental Update includes mitigations for Spectre (https://support.apple.com/en-us/HT208397 ). NOTE (1/26/2018) that patches released on 1/23 for 10.12 ("Sierra") and 10.11 ("El Capitan") contain fixes as well (https://support.apple.com/en-us/HT201222 ).
  • When: patch "as soon as practical" (this patch cycle or this month, whichever is sooner)
  • Considerations: patches are currently only available for High Sierra, Sierra and El Capitan - older operating systems should be upgraded

Web Browsers:

  • What: patch as updates are available from browser vendors, currently:
    • Firefox 57.0.4 and 52 ESR contain mitigations
    • IE/Edge are patched in KB4056890 (Windows 10) or KB4056568 (for IE on Windows 7 and 8)
    • Apple has released patches for Safari
    • Google released Chrome 64 on January 24 with patches
  • When: patch "as soon as practical" (as updates come out, and look to iterate this patching as new releases come out across the browsers)
  • Considerations: patches will likely continue to come out from the vendors in at least the near term

Mobile Devices (iOS/Android):

  • What: patch as updates are available from vendors, currently:
    • iOS 11.2 includes a patch for Meltdown. NOTE (1/8/2018) that iOS 11.2.2 includes mitigations for Spectre (https://support.apple.com/en-us/HT208401 ).
    • Android's January security release will include patches for both.
  • When: patch "soon" (within a month of patch release)
  • Considerations: N/A

Windows Servers:

Linux Servers:

Cloud Environments:

  • What: Amazon Web Services and Microsoft Azure have applied patches to their environments. Customers must still apply patches to their operating systems (see relevant "Servers" section herein).
  • When: N/A
  • Considerations: N/A

Virtualization Environments (VMware, Hyper-V):

  • What: Apply vendor patches with urgency
  • When: patch "NOW": AS SOON AS POSSIBLE
  • Considerations:
    • While this should be patched ASAP, do not skip testing first
    • We have not evaluated other hypervisors

Research Computing Environments:

  • What: These environments may be the most problematic. They tend to be multi-tenant (elevated risk) and performance-critical. Begin or continue to evaluate the potential performance impacts in your environment and develop a plan to address ASAP. FAS RC is working on this and we will share their strategy as it develops.
  • When: patch "as soon as practical" (as soon as you have a well-tested plan in place)
  • Considerations: see above with respect to performance
See also: Security Alerts