Meltdown and Spectre Vulnerabilities: What You Need to Know | Information Technology | University of Pittsburgh
!

Meltdown and Spectre Vulnerabilities: What You Need to Know

Monday, January 8, 2018 - 22:54

 

What is the Issue?

Modern computer processors perform a technique called speculative execution to allow them to perform faster. However, security researchers have discovered that speculative execution also makes those same processors vulnerable to attackers. These vulnerabilities have been dubbed Meltdown and Spectre.

Why Should I Be Concerned?

Most desktops, laptops, servers, smartphones, and tablets use processors that are vulnerable. However, an attacker would need to execute harmful code on an affected device in order to exploit the vulnerabilities. If an attacker successfully exploited one of the vulnerabilities, they could access data they would not normally be able to see, including passwords or security certificates.  

What is Pitt Doing?

Computing Services and Systems Development is conducting a detailed inventory of enterprise systems that could be susceptible to these vulnerabilities and will apply the appropriate security updates. We are also working with University departments to identify and patch any susceptible departmental servers and systems.

What Can I Do?

1. Update your antivirus definitions and software.

For example, if you are using Symantec Endpoint Protection, then run LiveUpdate.

Note: Your antivirus software should be up to date before you attempt to apply any operating system patches. If you are running an older version of Symantec Endpoint Protection, be sure to update to the latest version

2. Update your computer’s operating system.

For example, if you are using Microsoft Windows, then run Windows Update.

Note: At this time, CSSD recommends that you do NOT patch computers running AMD Athlon processors, as the patch has been reported to create problems. See http://www.zdnet.com/article/windows-meltdown-spectre-update-now-some-amd-pc-owners-post-crash-reports/ for more information.

Note: If you use the Pulse client to securely connect to University resources while off campus, be sure you have downloaded and installed the latest version of the Pulse client from software.pitt.edu before installing the Microsoft update. Once installed, the Microsoft update will prevent older versions of the Pulse client from working properly.

3. Apply other software updates as they become available after appropriate testing.

Refer to the list below for links to the latest updates from various software vendors.

4. Apply firmware updates as they become available after appropriate testing.

Note: firmware updates are specific to the type of computer and vendor. For example, there are different firmware updates for vendors such as Dell and Toshiba. Vendors will be releasing firmware updates in the near future.

Vendor Information

The following vendor information is current as of Jan. 8, 2018. We will update this page with new information as it becomes available.

Apple

  • iOS 11.2 (for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation). iOS 11.2 includes a patch for Meltdown. Patches for Spectre are expected soon.
  • A second patch to be applied to the Safari web browser has been released.
  • Apple Watch is not affected by either Meltdown or Spectre.

Android Open Source Project

  • Security patch levels of 2018-01-05 or later address all of these issues. Apply system updates as soon as they are available from your phone manufacturer.

Google

  • Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.

Microsoft

  • In general, apply Microsoft updates as soon as they are available. However, not all antivirus products are compatible with the recent security update that Microsoft released. If you have not been offered the security update by Microsoft, then you may be running incompatible antivirus software, and Microsoft recommends you consult with your antivirus vendor. Learn more…

Mozilla

  • Firefox 5.7.04, released on January 4, mitigates the Meltdown and Spectre vulnerabilities.

Other vendors