Risk: High

CVE: CVE-2017-5754, CVE-2018-5753

Meltdown and Spectre are two CPU vulnerabilities that have recently been detected in Intel, AMD, ARM and Qualcomm processors. Currently there are no exploits available in the wild; however if successful, attackers can take advantage of three variants of the flaw and steal sensitive data, such as passwords and banking information. Spectre is affected by two variants, while Meltdown only has one variant of the flaw.

Meltdown mainly affects Intel processors, as well as some ARM processors, allowing hackers to bypass security barriers between applications that is usually managed by hardware.

Spectre on the other hand, allows hackers to trick error-free applications into giving up secret information and affects all aforementioned processor vendors.

Impacted Devices:

All computer devices, including desktops, laptops, servers, tablets and smartphones (iOS and Android) that run on most Intel, AMD, ARM and Qualcomm processors manufactured in the last decade are affected; some affected processors go back more than 20 years.

What UBC IT is doing:

We are continuing to assess the risk of this threat as it evolves. While that analysis is underway, the following activities are being conducted:

An inventory of affected systems is being built Patch availability is being analyzed, including released dates Released patches are being tested for production usage to identify any performance impacts Security vendors are being engaged to identify security controls that can protect against exploits, should they become available

Recommendations for Users:

Based on current industry information, the only solution to fully resolve the issue will be to replace the hardware; however, at this time no new hardware is available to address the issues; in the interim patches are available to mitigate against future attacks that can exploit the two vulnerabilities.

Take care to ensure any patches or updates are obtained from official vendor sites, as there have been reports of hackers distributing malware masquerading as patches.

Mitigations will include a combination of BIOS/firmware updates for hardware, in addition to operating system and application patches. It is strongly recommended that non-technical users not attempt upgrading the BIOS themselves, especially if there’s a possibility that the computer is encrypted, as this would likely render the computer inoperable.

attempt upgrading the BIOS themselves, especially if there’s a possibility that the computer is encrypted, as this would likely render the computer inoperable. Please update your antivirus software.

Please update your operating system and download the latest patches. Below is the status of updates of browsers and operating systems that we have put together regarding the patches.

Meltdown & Spectre Operating System Patches:

Windows Desktop: Microsoft released patches for Windows 10, 8.1 and 7 SP1 on Jan 3 for systems with compatible Anti-virus; Sophos, Trend Micro and Cisco AMP are compatible – see links below for details

Windows Server: Microsoft released patches for Windows 2008 R2, 2012 R2 and 2016 on January 3 for systems with compatible Anti-virus (as above)

macOS, iOS, tvOS: Apple released patches in December and January. Patched versions are: macOS 10.13.2 Supplemental Update, iOS 11.2.2, tvOS 11.2, macOS Sierra 10.12.6, and OS X EL Captain 10.11.16. Apple watch is unaffected

Android: Google pushed patches for both vulnerabilities to manufacturers in December 2017. Please check with your hardware manufacturer for when/if an update will be available for your device. Google supported devices that will receive the patch include Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL.

Chrome OS 63: Introduced protections for both vulnerabilities in Dec 2017

Red Hat: released multiple updates – see the link at the bottom for patch availability

Ubuntu: to be released Jan 9 for 17.10, 16.04 LTS, 14.04 LTS, 12.04 ESM

VMware: has various patches for products – see the details in the link below

Amazon Web Services: They are patched, but customers must still patch the OS running in Amazon’s virtual machine

Azure is patched, customers need to reboot their virtual machines

Spectre Browser Patches:

Chrome: Partial protection will be introduced on January 23 in Chrome 64

Edge & Internet Explorer: Microsoft has already made updates to both browsers and more improvements are expected to be coming

Firefox: Mozilla has released partial mitigations on January 4 in 57.0.4 for desktop browsers on Windows macOS and Linux (no iOS or Android updates yet)

Safari: Apple has released an updated version of Safari in addition to updates for iOS and macOS

More information