Protecting CT customers - what you need to know right now about Meltdown & Spectre

As you may have recently heard, serious security flaws that could let attackers steal sensitive data, including passwords and banking information, have been found in processers designed by Intel, AMD and ARM.  The flaws are named Meltdown and Spectre, and combined, they affect virtually every computer, smartphone, tablet and PC.

To get up to speed, CT recommends you have a read of the article from the BBC http://www.bbc.co.uk/news/technology-42564461 and the Verge which includes Microsoft’s official statement.  https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix

We would like to take this opportunity to reassure all CT customers that we continue to provide the highest levels of data protection and security available and that all patches for Windows included within the contract will be automatically set to install as soon as they are released.  The Firmware and VMware updates, however, require manual installation, and once released, CT customers will be advised and can request this installation.

We recommend to any business that the Microsoft, VMware and Apple security patches are installed as soon as they are released and that any Firmware updates released by hardware manufacturers are installed to provide you with the greatest levels of protection possible.

CT also requests that all customers remain vigilant and do no open e-mails or attachments from unknown sources and are cautious not to click any unknown web links.  If in doubt do not open the file or click the link. 

To provide a quick overview we have pulled out some key points for you below.  Any questions, or if you have any concerns, please speak to your account manager in the first instance.

The vulnerability

There are two separate security flaws, known as Meltdown and Spectre.  Meltdown affects laptops, desktops and servers with Intel and ARM Chips and Spectre affects all modern chips for example in Smartphones, tablets, computers and servers.

To date there has been no known exploits of the vulnerabilities. The risk is that now the vulnerability is known, it will begin to be exploited and should therefore be taken seriously – the Meltdown flaw is very easy to exploit.

The current impact is largely unknown but MS has suggested that it’s security patch may cause some slow down in the performance of their computer, smartphone or tablet in some instances.

The Risk

Both Spectre and Meltdown utilise the “speculative execution” which is central to most CPUs produced in the last 20 years, so all un-patched computers and servers should be considered at risk.

Workstations, mobile devices and remote desktop servers with the possibility of an end user inadvertently introducing an exploit (by downloading a malicious item or clicking a malicious link) are the principle risks. 

The flaw would then allow the malware to then access data stored in the CPU cache that should be protected – such as passwords and other confidential information. The Meltdown flaw presents a greater threat as it can be exploited even by JavaScript on a webpage without the user downloading any software, simply visiting a compromised website could disclose sensitive information to a 3^rd party.

What are the manufacturers doing? 

This is fluid and more patches and firmware updates will be released over the coming months.

Microsoft is releasing security patches over the coming week – Windows 10 is already released. 

Microsoft will not release patches for unsupported operating systems such as Windows XP and Server 2013 leaving these systems exposed.  If you are still running one of these older versions we suggest you speak with your account manager about migration options available.

Apple is releasing a security patch for its most recent operating systems.

VMware has released a security update.

Many hardware manufacturers are releasing firmware updates to help address the issue.