Advisory: Apply updates for computer chip vulnerabilities
Please be advised that security vulnerabilities in computer chips made by Intel, AMD, ARM and others could allow low-privilege processes to access kernel memory that is allocated to other running programs.
The vulnerabilities — called Meltdown and Spectre — could allow an attacker to access information including passwords, encryption keys and more.
Linux, Windows, Apple, and others have already released updates to begin addressing the vulnerabilities. Watch for updates from the manufacturers of your devices and operating system vendors and apply them as soon as possible after appropriate testing.
Here’s what you need to know:
The problem: According to Wired, "The theoretical attack, which takes advantage of quirks in shortcuts Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer. On multi-user machines, like the servers run by Google Cloud Services or Amazon Web Services, it could even allow hackers to break out of one user's process and instead snoop on other processes running on the same shared server."
Affected systems: Devices that include an affected chip or processor. This includes Intel chips, as well as those made by other companies.
- Meltdown: Every Intel processor that implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). All modern processors capable of keeping many instructions in flight are potentially vulnerable.
- Spectre: Almost every system is affected by Spectre, including desktops, laptops, cloud servers, smartphones and so on. Spectre has been verified on Intel, AMD, and ARM processors.
Action to take:
- Apply operating system updates as they become available after appropriate testing. Microsoft, Apple, the Linux community and others have already released updates that begin to address the vulnerabilities and may release more as researchers learn more about the vulnerabilities and their possible impact.
- Apply other software updates as they become available after appropriate testing. Microsoft, Google, and Mozilla are all issuing patches for their web browsers, for example.
- Apply firmware updates as they become available after appropriate testing.
Learn more by visiting the Safe Computing website.