Security Awareness – Meltdown and Spectre security vulnerabilities


What are Meltdown and Spectre vulnerabilities?

Meltdown and Spectre are security vulnerabilities caused by processor code design flaws that affect most computing devices produced since 1995. These flaws could result in unauthorized disclosure of information to an attacker.

Hardware, operating system, and application manufacturers are reviewing how these vulnerabilities affect their products and many are issuing security updates and patches to block the vulnerability. Some updates are already available, others are scheduled to be released later in January 2018. For detailed information about these vulnerabilities see: https://meltdownattack.com

What should you do about Meltdown and Spectre vulnerabilities?

While installing tested security updates and patches is always recommended – being the first to adopt, without adequate testing, can result in downtime and loss of data. Early adopters of the Microsoft Windows 10 security updates have reported incompatibility with some anti-virus software and AMD processors. It is therefore recommended to take a step-wise cautious approach in mitigating these recent security threats.

  1. Back up your data before applying any updates - If an update fails to install it may result in a loss of data. Back up your data before you update hardware firmware or install software security updates and patches.
  2. Update web browser software - A compromise could occur by visiting a website running malicious JavaScript that could read information from your computer’s processor. To prevent this from occurring, update Web browser software to block the vulnerability. Safari, Firefox, Chrome, Edge, and Internet Explorer all have updates available to install.
  3. Update operating systems - Apple and Microsoft are releasing updates to their operating systems to block the vulnerability starting with the most recent versions. Microsoft Windows, Apple iOS and MacOS High Sierra have updates available. Microsoft has added a pre-installation check for anti-virus and AMD compatibility -- you may need to update your anti-virus software before updating Windows. Updates for some older manufacturer supported operating systems are being developed.
  4. Update hardware firmware - The core vulnerability is in the processor microcode and can be most completely remediated by updating the device’s firmware. Intel has indicated they will distribute a firmware update within the next two weeks. Hardware vendors including Apple and Dell will be releasing firmware updates for many recent models – consult the manufacturer directly for availability.

How to obtain manufacturer updates

The US Computer Emergency Response Team (CERT) vulnerability guidance includes links to manufacturer remediation information including downloads and scheduled release dates. For more infomation see: https://www.us-cert.gov/ncas/alerts/TA18-004A

Need Help?

If you experience issues or have questions, please contact the ITS Service Desk at service@sfsu.edu or 415-338-1420.

For more information

The Information Security team has introduced an ongoing Information Security Awareness program for faculty and staff. This program is designed to help employees protect their sensitive information and that belonging to others. The program combines monthly advisory messages with phishing training exercises. For more information please see the Information Security Awareness program for faculty and staff guide at: https://its.sfsu.edu/guides/informationsecurityawarenessprogramfacultyandstaff