In early 2018, computer researchers released findings about a hardware design flaw that affects the CPU in most modern computers. This flaw impacts the security of these devices. Bad news – this vulnerability most likely affects you.

This defect has been there for years. It allows malicious programs to steal data being processed in your computer’s protected memory. Normally, applications can’t do that because they are isolated from each other, and from the operating system. This hardware flaw breaks that isolation.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. A malicious program can exploit Meltdown and Spectre. It then gets hold of secrets stored in the memory of other running programs. This memory might include your passwords stored in a password manager or browser, your personal photos, emails, or business-critical documents. Depending on the cloud provider’s infrastructure, hackers may be able to steal data from other customers.

What is the difference between Meltdown and Spectre?

Meltdown breaks the isolation between the user app and the OS, so the app can do a memory dump and steal any data in RAM. It’s called Meltdown because this vulnerability melts security boundaries that are normally enforced by the hardware. Meltdown requires a hacker’s application (.exe) to be run on the target machine in order to steal information.

Spectre uses a similar trick to steal information from computer memory. It breaks the isolation between applications. Spectre tricks other applications into accessing arbitrary locations in their memory. With Spectre the hacker can launch the exploit through a browser without having access to the computer’s console. The name comes from the root cause, speculative execution.

What is Being Done to Fix the Meltdown and Spectre Flaw?

Hardware and software providers are frantically developing patches as we speak. However, performance features of computer processors may need to be disabled to protect computers. Experts speculate that computer performance could drop by as much as 30%. This will be the largest problem with the most utilized computers. Personally, I hope that a smart and creative engineer can introduce a solution that protects the computers of the world without a huge sacrifice to performance.

Take These IT Security Measures Immediately

Invario will deploy all critical patches for computers that we manage as they become available. Vendors such as Microsoft and Google are working quickly to roll out patches. We may also recommend replacing some mission-critical heavily used computers to fix this.

Next, understand that the vulnerable machine has to have malware running to exploit this vulnerability. Be extra vigilant, with security top of mind. Think Before You Click. Sadly, hackers are using this news to try to trick you into downloading malware that claims to be a patch for the “Meltdown” and “Spectre” hardware issue. At the office, do not act on any emails or popups that tell you to urgently update your computer. At the house, take the same precautions. Patches should only come from official sources like the manufacturer of your PC or the developers of your Operating System (Microsoft Windows or Apple Mac).

When logging into protected websites through a browser, please take the extra step to log out of these sites (which closes the door on your session) rather than just closing the tab or browser.

I recommend IT security awareness training for all users. Invario provides corporate security awareness training as part of our ongoing security services. Contact Invario today if you have questions about software patching or security awareness training.

Invario Referral$

If you know of a company that would be interested in the services of Invario Network Engineers, please reply to this e-mail with your suggestions, and the individual we should contact.

That is all you have to do! Upon receipt of the first payment from a new customer, Invario will pay 10% of the retainer or labor portion of the first project to the referring person or company. If a new customer signs up for a Worry-Free IT or Server contract the referring party would receive the equivalent of one month of the agreed to contract.

Recipients that do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.

Feedback

If there is an IT topic you would like to know more about please e-mail me your suggestions.

Dave Wilson, President

Print This Post Print This Post