Updated on March 29, 2018
As reported by several media sources, a critical flaw in all modern CPUs could lead to disclosure of potentially sensitive information. These vulnerabilities are referred to as Meltdown and Spectre.
These vulnerabilities exploit the CPU hardware implementations, which are vulnerable to side-channel attacks. If the attacker is able to execute code with user privileges, it may enable the attacker to read information that would otherwise be protected within the kernel memory. Most modern processors including: Intel, AMD, and ARM are vulnerable.
The issues are organized into three variants:
- Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
- Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
- Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load, memory access permission check performed after kernel memory read
What is NAVEX Global doing?
NAVEX Global has been monitoring these vulnerabilities since first reported, and will continue to monitor these vulnerabilities in the days and weeks ahead.
To mitigate these attacks, Operating System, CPU microcode, and some application updates are being released. Microsoft currently has patches available for their Operating Systems and other software. After testing internally, these patches will be rolled out during our scheduled maintenance windows as follows:
Hosting
All servers have had Operating System patches applied.
Internal
All workstations and servers have been patched.
Additionally, NAVEX Global will apply patches to all affected hardware and software as manufacturer patches become available.
*Note: All hardware BIOS patches have been rescinded by the vendors for our equipment, so we have no patches to apply at this time.