On January 2, 2018, a serious design flaw in Intel CPUs was reported that could be exploited by attackers to gain unauthorized access to a computer’s memory. These vulnerabilities, dubbed Meltdown and Spectre, affect nearly all modern processors and can only be mitigated through operating system patches. While these vulnerabilities are significant, their exploitation requires that an attacker gain access to a targeted computer via a prior step.
Due to the nature of these vulnerabilities, AccessData recommends that its users apply operating system patches as soon as they are made available. Patches addressing the Meltdown vulnerability have already been released for Microsoft Windows (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002). Patches for the Spectre vulnerability are not yet available, as the vulnerability is reportedly more difficult to patch, but also more difficult to exploit.
Please also note that operating system vendors have already warned that patching is likely to have a performance impact on affected computers. However, based on these early reports, AccessData does not believe that the impact will be noticeable on most systems.
What are Meltdown and Spectre?
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
Am I affected by the Meltdown and Spectre vulnerability?
Almost certainly, YES. These vulnerabilities effect: desktops, laptops, cloud computers, and mobile devices.
More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). Currently, it has only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected.
What should I do to protect my AccessData servers and information?
AccessData recommends that its users apply operating system patches as soon as they are made available. Patches addressing the Meltdown vulnerability have already been released for Microsoft Windows (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002).
Is there more technical information about Meltdown and Spectre?