Computer Security Flaw: Meltdown and Spectre – what to do about it

Meltdown and Spectre

meltdown-spectre-100745817-large (computerworld)Meltdown and Spectre are 2 new security flaws found in processors of common devices, leaving most smartphones, laptops and other PCs vulnerable. If hacked, attackers can obtain password and other sensitive user data from such devices.

Users of Microsoft applications, note that a Server and Client Guidance and out-of-cycle patch has been released on 3 January 2018. See links below.

For users of MS OS and Applications, we recommend:

1.     Ensure that the 3 January 2018 Microsoft patch is applied via Windows update. To ensure that the appropriate patch is applied to your system, please note your Windows OS version and release (see reference link 1. below). If you do not know this information, please seek assistance from your IT staff/ service provider.
2.     Please also apply the PC Bios/firmware update when available (this is for Spectre specifically) – this is specific to the device manufacturer, e.g. Samsung, Lenovo, etc. Some device manufacturers release and send out patches (the way MS does), while others don’t, so please check in with your specific device manufacturer.

For more information on the impact of Meltdown and Spectre on servers, please see reference link 2. below.

Additionally, a compatible Antivirus software is required. Microsoft Update will not download/install this patch if no Antivirus software installed. Please note that some antivirus software is incompatible with this out-of-cycle patch. We encountered this on one of our staff notebooks, where the “McAfee Internet Security” caused Microsoft Update to miss out the abovementioned 3 January 2018 update. It will take some time for McAfee to fix the incompatibility issue. Should this occur in your case, please enlist the assistance of your IT staff/ service provided to do a manual update to download the patch. Please do not attempt to do a manual update on your own (see reference links 3. and 4. below). You can consider installing the free Microsoft antivirus software – Microsoft Security Essentials (please see reference link 5. below).

Please note that major cloud providers (Amazon, Google, Azure) have all taken immediate steps to mitigate the risk to their servers. If you are hosting your email or data on a remote hosting facility, you may wish to contact your hosting service provider to ensure that they are taking steps to mitigate the risk to their servers, and to ascertain the impact on performance as a result of fixing the security risk.

If you run a virtual machine hosted on any of the cloud providers (e.g. Amazon, Google, Azure, Hostgator, Webvisions, etc), it will be necessary to take the same precautionary measures (and apply appropriate patches) for the virtual machine as if it were a physical one.

Please also note that users of any smart devices, whether Android, Mac iOS or other, will need to find out from their respective device manufacturers the patches required to mitigate the risks of Meltdown and Spectre. This will equally apply to users of Mac OS computers.

Reference Links:
1. Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
2. Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities
3. Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
4. Windows Anit-Virus Patch Compatibility
5. Microsoft Security Essentials