Microsoft, Sophos and Apple respond to Meltdown and Spectre bugs
Security researchers have publicised two serious security flaws, dubbed Meltdown and Spectre, that affect “nearly every computer and device” according to TechCrunch.
Both security flaws exploit vulnerabilities in computer, smartphone and tablet microchips and processors. Meltdown affects microchips made by Intel and ARM, whilst the more malicious of the two, Spectre, also affects these microchips as well as AMD chips. These vulnerabilities mean malicious programmes could ‘steal’ data processed on the device’s kernel – its core memory function – including data from other programmes.
These vulnerabilities have been known to security researchers for some time, but have only recently been publicly disclosed for the good of consumers and businesses alike; by secretly informing the companies affected like Intel, ARM and Microsoft, they stood a chance of releasing patches before hackers found out about these vulnerabilities – which would be at the same time as the general public.
Patches have already been released to defend against Meltdown, which affects the ‘barrier’ that protects kernel data from application access, meaning malicious applications can read and even modify it.
Spectre, whilst more difficult to exploit, is also more difficult to defend against. It ‘tricks’ applications into releasing kernel data that otherwise would be protected. Spectre is, worryingly, the bug with the widest possible reach as it affects a wider range of devices. Both bugs exploit speculative execution, a modern CPU performance feature that effectively speeds up and improves device performance.
For TSG customers with SystemCare contracts, we’ll be deploying all security patches as they are released, so you can rest assured that you’ll be in the best possible position to defend against this threat.
TSG Gold Partner Microsoft has responded by releasing several security patches, as well as securing its many cloud services. It has recommended that the best way customers – both business and consumer – can protect themselves and their systems from these flaws is to keep their machines up-to-date with its vital security patches, and continue to operate on current operating systems.
In order for Windows users to install the Microsoft security patch, the company has confirmed they need to be running a compatible and reputable anti-virus solution. As a Platinum partner of Sophos, we know it has also been working hard to keep customers safe from these vulnerabilities and has tested its security suite against the Microsoft patch, confirming there are no compatibility issues. This means customers using both Microsoft and Sophos products can continue to do so. The requirement here is to have that compatibility reflected in the registry key; it’s expected that Sophos will be automatically releasing this update today.
For consumers, Apple has also been quick tno react and has released patches in its iOS, macOS and tvOS operating systems which will protect against Meltdown. The company will also imminently release an update for its web browser, Safari, on both macOS and iOS, which it has determined is the application most vulnerable to Spectre. Affected chip producer ARM has “a set of mitigations” for its vulnerable chips, whilst Amazon is in the process of updating its servers. You can see a full list of these business updates on Forbes’ website.
Affected businesses are taking big steps to mitigate the risks for their customers by releasing security updates and patches, but the longer-term solution will require fundamental changes to the way hardware, including chips, processors and circuit boards, are manufactured. The authors of the Spectre paper blame these vulnerabilities on the rush to increase performance, which they said has come at the cost of security.
The consumers and businesses that are most at risk are those who are running outdated operating systems, and those who don’t regularly install security updates. If the global WannaCry attack wasn’t enough of a warning to keep your devices up-to-date, this certainly is. Running free or mediocre anti-virus solutions also leaves you at risk; if your anti-virus isn’t compatible with the Windows patches, Microsoft won’t install these updates, leaving your systems vulnerable.
TSG is here to help customers who have concerns over these bugs – for further information you can get in touch with us by emailing firstname.lastname@example.org.