The Division of the CIO is working with technology partners to address the Meltdown and Spectre exploits reported in the news over the last few days.
Both Meltdown and Spectre rely on weaknesses in the architectural design of modern microprocessors. Carefully crafted sequences of instructions followed by precise timing of memory fetches can be used to deduce the contents of protected memory.
Many factors are at play in understanding the path to mitigation for these security flaws and, while software patches are being developed to mitigate the exposure, they are limited in how much protection they can provide to hardware weaknesses.
Below is information about the Meltdown and Spectre vulnerabilities, as they pertain to mobile devices and PCs commonly used by RPI staff, based on the information available at this time.
What do we know?
Spectre and Meltdown
- Google says that “exploitation has been shown to be difficult to exploit and limited on the majority of Android devices.”
- Google’s latest security patch, which was released in December, “includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.”
- A spokeswoman for Samsung said "for Samsung's Android based mobile devices with the latest security update, the exploit is effectively mitigated".
- Google recommends applying any and all future updates which may include additional fixes for the Spectre and Meltdown vulnerabilities.
Apple iOS (tablets & iPhones) and macOS
- Apple says that the Meltdown bug affects mac OS and iOS devices. Apple has released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.
- Assure your Mac and Apple devices are current with the latest version of the macOS and/or iOS.
- Apple says all Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.
- Apple has released updates for iOS, macOS High Sierra, and Safari on Sierra and El Capitan to help defend against Spectre.
- To help defend against Spectre, Apple encourages users to update to iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan.
- Please continue to assure your iOS and macOS devices are current with the latest version.
Windows PCs (all versions)
Microsoft has released Windows patches — Security-only Updates, Cumulative Updates, and Delta Updates — for a wide array of Window versions, Tuesday January 3rd.
- Win7 and 8.1 Monthly Rollups were released on January 9th, Patch Tuesday (can be applied through Windows update)
- The fix for Win10 are inside the Win10 cumulative update, currently available through regular Windows update mechanisms.
- There are cumulative updates for Internet Explorer 11
- The fix for the Edge browser are inside it’s respective Win10 cumulative update.
- If you’re running third-party antivirus, it must be updated before the Meltdown patch installer will run.
The software patches currently available will fix the Meltdown flaw, and some software patches can help mitigate the Spectre flaw, but Spectre will likely continue to affect all modern CPUs until new hardware is released to fix it.
What is the Division of the Chief Information Officer doing?
- End-user devices and priority servers are being patched as quickly as reasonably possible.
- Other servers with little or no avenue for exploit are being patched more carefully to understand any performance issues of the patches.
What can users and system administrators do?
- End users should NOT defer the installation of vendor-provide security patches for Meltdown and Spectre.
- Sever administrators should classify and prioritize their servers and applications before applying the patches, research the effects of OS updates on running applications, take a metered approach to applying patches, and ultimately work to patch all of their systems as soon as reasonably possible.
- Everyone should observe basic Internet “hygiene” practices.
- Apple recommends users protect against exploits by only downloading software from trusted sources. Since the App store is the only place iOS users can download apps, this shouldn’t be difficult.
- The Android security team actively monitors for abuse through Google Play Protect and warns users about potentially harmful applications.
- “Google Play Protect” is enabled by default on devices with Google Mobile Services. Assure Google Play Protect is enabled.
- Google recommends installing only applications from trusted sources like the Google Play app store.
- Apply all patches to systems, including mobile devices, laptops, desktops, and servers, at regular intervals.