In early 2018, computer researchers released findings about a hardware design flaw that affects the main chip in most modern computers—the CPU and impacts the security of these devices. The bad news is that YOU ARE MOST LIKELY AFFECTED BY THIS VULNERABILITY.
This defect has been there for years. It creates an IT security issue by allowing malicious programs to steal data that is being processed in your computer’s protected memory. Normally, applications can’t do that because they are isolated from each other, and from the operating system. This hardware flaw breaks that isolation.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. A malicious program can exploit Meltdown and Spectre to get ahold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages or business-critical documents. Depending on the cloud provider’s infrastructure, it may even be possible to steal data from other customers.
What is the difference between Meltdown and Spectre?
Meltdown breaks the isolation between the user app and the OS, so the app can do a memory dump and steal any data in RAM. It’s called Meltdown because this vulnerability melts security boundaries that are normally enforced by the hardware. Meltdown requires a hacker’s application (.exe) to be run on the target machine in order to steal information.
Spectre uses a similar trick to steal information from computer memory. It breaks the isolation between applications. Spectre tricks other applications into accessing arbitrary locations in their memory. The threat with Spectre is that the exploit can be launched through a browser without the attacker having access to the console of the computer. The name comes from the root cause, speculative execution.
What is Being Done to Fix This?
Hardware and software providers are frantically developing patches as we speak. However, the current thinking is that performance features of computer processors will need to be disabled to protect computers. Experts speculate that computer performance will be dropped by as much as 30%. This will be the largest problem with the most utilized computers. Personally, I hope that a smart and creative engineer can introduce a solution that protects the computers of the world without a huge sacrifice to performance.
Take These IT Security Measures Immediately
Invario will deploy all critical patches for computers that we manage as they become available. Vendors such as Microsoft and Google are working quickly to roll out patches. We may also recommend replacing some mission-critical heavily used computers to fix this.
Next, understand that the vulnerable machine has to have malware running to exploit this vulnerability. Be extra vigilant, with security top of mind, and Think Before You Click. Sadly, hackers are using this news to try to trick you into downloading malware that claims to be a patch for the “Meltdown” and “Spectre” hardware issue. At the office, do not act on any emails or popups that tell you to urgently update your computer. At the house, take the same precautions. Patches should only come from official sources like the manufacturer of your PC or the developers of your Operating System (Microsoft Windows or Apple Mac).
When logging into protected websites through a browser, please take the extra step to log out of these sites (which closes the door on your session) rather than just closing the tab or browser.
I recommend IT security awareness training for all users. Invario provides corporate security awareness training as part of our ongoing security services. Contact Invario today if you have questions about software patching or security awareness training.
If you know of a company that would be interested in the services of Invario Network Engineers, please reply to this e-mail with your suggestions, and the individual we should contact.
That is all you have to do! Upon receipt of the first payment from a new customer, Invario will pay 10% of the retainer or labor portion of the first project to the referring person or company. If a new customer signs up for a Worry-Free IT or Server contract the referring party would receive the equivalent of one month of the agreed to contract.
Recipients that do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.
If there is an IT topic you would like to know more about please e-mail me your suggestions.
Dave Wilson, President