By now you’ve probably heard about two serious flaws, Meltdown and Spectre uncovered by Google’s Project Zero vulnerability research team, which have been found in CPUs made by Intel, AMD, ARM and others.
The difference between Meltdown and Spectre is summarised as follows:
– Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory.
– Spectre tricks other applications into accessing arbitrary locations in their memory.
Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion, refer to the following papers (Meltdown and Spectre) Source: Meltdownattack.com
There are currently no known ways to remotely exploit these vulnerabilities so anyone attacking a system must have access to a server before they can actively exploit the vulnerability. Or, more likely, an unsuspecting person inadvertently visits a malware-laden site browsing from the server and opens their systems up to being exploited.
Digital Craftsmen conducted an extensive internal analysis this morning to assess our state of readiness, and are confident our ISO 27001 accredited security systems puts us in a good position to weather this current storm. The DCL team will be checking all updates on patches, keeping clients and readers of this blog alike informed of latest developments.
Threats to our IaaS
Digital Craftsmen VMware based hosting platform is not vulnerable to Meltdown and patches have been released to mitigate Spectre.
Access to all the servers Digital Craftsmen host is controlled and known by us so the attack surface is small.
The company will be applying patches to all systems as soon as the DCL team has evaluated the impact on performance.
Threats to Digital Craftsmen business operations
The company will be updating their own internal equipment when patches become available and has reminded everyone of their obligations to be careful opening unexpected links or documents; and being extra vigilant when visiting unfamiliar web sites. It is recommended that all businesses send out an email to their employees doing likewise.
If you have any queries regarding these vulnerabilities, or advice on how to manage this in your organisation, please contact firstname.lastname@example.org or call 020 7183 1555.
Recommended further reading about Spectre and Meltdown can be found on the following sites: BBC and The Register