Systems Engineering (SE) is aware of the latest vulnerabilities, known as Spectre and Meltdown, that are affecting a very large population of computers. We are researching the vulnerability and formulating our response.
Early reports indicate that software patches to address the vulnerability could slow down computers by as much as 30%, so we need to vet the viability of the patches. As always, having a layered approach to security is your best protection against the exploitation of vulnerabilities like this.
Update: Friday, January 5
Software patches are being released to address the CPU vulnerabilities Meltdown and Spectre. These patches will then be put through our standard vetting process required to minimize the risk of unintended outcomes such as degraded performance impact, that initial analysis has indicated. We are also contacting our third-party service providers to understand more about their exposure and remediation plans.
At this point it is worth a deeper discussion on how these vulnerabilities work and the risk these represent.
First, why are there two names for this vulnerability, Meltdown and Spectre? Both attacks are similar in that they take advantage of how the computer processor manages data from applications (user programs) but, execute in slightly different ways. The effect is that, as the processor is managing data from an application, it moves it between various memory areas.
These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages, and even business-critical documents.
So what is your risk of an attack due to Meltdown and Spectre? Risk is defined in a formula defined as probability multiplied by the impact. In this case, the probability is "low" given the complexity of the exploit and the need for the attack to first get through all the layers. However, the impact is labeled "high" because, should the attacker have the adequate exploit tools to penetrate various layers of security, they could obtain a high level of control over the PC or server. This would provide the attacker the ability to take control of other systems on a network resulting in a breach of any sensitive data that is found. For this particular vulnerability, SE is suggesting the risk is medium to medium-high.
Meltdown and Spectre Risk = Probability (low) x Impact (high) = medium/medium-high
We strongly recommend addressing the vulnerability through patching of operating systems and other affected system software with the understanding that we have the time to make sure the process is complete and minimizes the risk of disruption.
Update: Tuesday, January 9
We are continuing to evaluate the risk and viability of the available software patches for these vulnerabilities. We have discovered that patches from various software vendors have their own issues and/or dependencies that we need more time to test before rolling out a remediation plan. As such, we are not comfortable issuing a fix that might prove to be ineffective and/or cause unexpected degradation in performance to operating systems, SQL databases, hyper-visors, and more.
At this time, the next update is planned for early next week unless new information develops between now and then.
If you have questions, please email us at email@example.com or contact your SE Account Manager.
Please continue to follow this post for updates.