Quick update about Meltdown & Spectre
Last month Google's Project Zero disclosed details about two major CPU vulnerabilities that shook the world and revealed a design flaw that affects almost all Intel, AMD and ARM processors, which, combined, power most of the world's modern computing devices.
These two micro-architecture vulnerabilities, code-named Meltdown and Spectre, can be found in almost all personal computers, servers, cloud infrastructure, and mobile devices like phones and tablets. Most operating systems and software should be updated immediately to protect against exploitation. Notificare and its infrastructure providers already deployed patches in all the machines in our network in order to tackle these vulnerabilities.
What are Meltdown and Spectre?
The Meltdown vulnerability, CVE-2017-5754, potentially allows hackers to bypass the hardware barrier between applications and kernel or host memory. A malicious application could therefore access the memory of other software, as well as the operating system. Any system running on an Intel processor manufactured since 1995 (except Intel Itanium and Intel Atom before 2013) is affected.
The Spectre vulnerability has two variants: CVE-2017-5753 and CVE-2017-5715. These vulnerabilities break isolation between separate applications. An attacker could potentially gain access to data that an application would usually keep safe and inaccessible in memory. Spectre affects all computing devices with modern processors manufactured by Intel or AMD, or designed by ARM (ARM processors are the dominant computing platform for the vast majority of mobile devices, including phones and tablets from Apple, Google, Samsung, HTC, etc).
These vulnerabilities could potentially be exploited to steal sensitive data from your computer, such as passwords, financial details, and more — including information stored in apps like password managers or banking software.
What Did We Do?
The security of our applications and servers is our main priority. Our engineering and security teams are closely monitoring this situation and working with our vendors to ensure that all of our systems are patched and these vulnerabilities are mitigated as quickly as possible. As patches become available, they are applied immediately.
One of Notificare's service providers is Amazon Web Services (AWS). At this time, all infrastructure that AWS provides us has been patched to mitigate potential risk from these vulnerabilities.
In addition, our engineering team has taken steps to ensure that workstations as well as all devices used by our staff are updated to ensure we reduce the risk of any potential attack.
Are You Affected?
Yes. The vulnerabilities are present on all devices with affected CPUs, including desktops, laptops, servers, cloud infrastructure, and mobile devices. However, you can install operating system and software patches that mitigate the risks posed by Meltdown and Spectre.
What Should You Do?
This is a great opportunity to do a quick “Check for Updates” on all of your devices and applications and install anything that’s available. Install all the operating system updates, such as:
- macOS 10.13.2, iOS 11.2, tvOS 11.2
- Microsoft Update KB4056890
- Android Security Bulletin January 2018
Update browser software:
- Mozilla Firefox version 57.0.4 or higher
- Microsoft Edge is patched in Microsoft Update KB4056890
- Safari 11.0.2
- Google Chrome 64 should be installed immediately when available on January 23, In the meantime, enable site isolation