01-08-18 | Blog Post
IT magazine The Register reported that there was a major flaw with Intel, AMD, ARM and POWER chips that affect virtually every single computer ever made in the past 20 years. What a way to bring in the new year, eh?
There are two flaws: One is called Spectre, and the other is Meltdown. Meltdown primarily affects Intel and ARM chips, where bad actors can get the CPU to reveal application information from the machine kernel, such as passwords. The good news is that it is easier to guard against, although it does affect CPU performance. Spectre affects all chips and is trickier to implement, but essentially is the same problem: It can abuse the processor to obtain application information that is usually kept secret. Even though Spectre requires more setup work to implement, it is also harder to mitigate and is less understood, meaning it still poses a dangerous threat.
Well, for one, since these flaws affect virtually every computing device ever made in the past 20 years, chances are that your processor is at risk, too. But the problem goes further: One, the problem isn’t really a software bug easily fixed with a patch, but coded into the hardware itself. Spectre appears to have some systemic fixes but protection against the entire range will involve modifying many at-risk programs. This will mean a redesign of future processing chips, which could affect future performance. In the meantime, the patches that have already been rolled out will help fix current chips, but they were not optimized and tested as they should have been.
Because these flaws affect every machine that uses processing chips, they also affect the major cloud providers Amazon, Microsoft, and Google that use these machines across a broad base of users. How so? Public cloud hardware is shared across users, which is why it can boast reduced costs for the companies that use it. But now that the root kernel is vulnerable to attack, the possibility of data exposure in a multi-tenant environment is suddenly very real.
If you are a customer of Online Tech, please be advised of the following options: Clients who have automatic windows updates (Patch Process 1) will receive the patch on the next update cycle or they can manually update their machines prior to the automatic process by using Windows Update on the server or by contacting Online Tech support for assistance.
For clients with manual updates (Patch Process 2 and 3), the patch can be manually installed at any time through windows updates, or by contacting Online Tech support. We highly recommend all clients update and reboot their system as soon as possible; however, please note that there have been issues noted with antivirus software interfering with patch installation. The Microsoft KB articles detail workarounds for this issue, or you can contact Online Tech support for assistance.
VMware has released a patch for this vulnerability and we are currently testing the updates prior to patching the VMware infrastructure that runs our Virtual Private Cloud (VPC). We deployed the patch over the weekend (1/6 – 1/7), and we will be sending out an additional maintenance notification with more details. For clients running VMWare environments not managed by Online Tech, it is recommended to apply the patch as soon as possible. The patch and installation information can be obtained from the following link:
If you’d like further information regarding the Meldown and Spectre vulnerabilities, please refer to following academic papers detailing the vulnerabilities:
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
We will continue to provide updates on these vulnerabilities as more information emerges about them. If you have any questions or concerns regarding this incident, please contact us by logging into OTPortal, e-mailing support at Otava dot com, or calling 877-740-5028.