Two new serious security vulnerabilities have been discovered in the microprocessors inside nearly all of the world’s computers and mobile devices. Devices running Microsoft Windows, Google Android, Google ChromeOS, Apple macOS using Intel and ARM processors are all affected.
The two flaws, called the Meltdown and Spectre, may allow attackers to use malicious programs to steal passwords, account information, encryption keys, or other sensitive data. Windows, Apple and other vendors have already released updates to address the Meltdown vulnerability.
Spectre, while more difficult to exploit, is unable to be fixed in software and will require manufacturers to create new hardware. It is important to watch for updates from manufacturers of your devices and operating system vendors.
The Meltdown and Spectre vulnerabilities affect many CPUs, including those from AMD, ARM, Intel, virtual CPUs, and the devices and operating systems running on them. There have been no reports of attackers exploiting the Meltdown vulnerability; however, security researchers have demonstrated various methods of exploitation.
CIS is working to test and apply critical Meltdown updates to TC-managed systems and Banner environments as quickly as possible. Please note that there are possible performance degradation impacts that will result from the Meltdown updates.
What can you do about your personal devices?
Recommendations for personal computers and mobile devices or systems include:
Apply operating system updates as they become available. Microsoft, Apple and others have already released updates that begin to address the vulnerabilities and may release more as researchers learn more about the vulnerabilities and their possible impact.
Apply other software updates, including web browser updates, as they become available.
While it has been reported that the software updates could potentially slow performance, it is highly recommended that these updates still be installed.
If you have questions about these security vulnerabilities, please contact the Service Desk at x3300 or firstname.lastname@example.org.