On January 3, 2018, two new high severity vulnerabilities were disclosed. The vulnerabilities are named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715). The vulnerabilities are inherent to certain computer processors and how memory is protected. Specifically, the vulnerabilities target how malicious applications could access protected memory reserved for an operating system kernel, thus causing leakage of protected sensitive data.
Intel has reported they have been working with various developers of operating systems such as Microsoft Windows and Linux distribution for several months to address these issues. A press release from Intel states they were planning to release this information the week of January 8, 2018. We believe this indicates that Microsoft was likely planning to issue a patch during the normal January 9, 2018 patch cycle. The patch for Windows 10 from Microsoft was released out of cycle and became available at 5PM EST yesterday, January 3, 2018. Customers who are not using automated Windows Updates should apply this patch as soon as possible. Patches for other Microsoft operating systems have not been released yet.
Customers should continue to monitor security updates from vendors of operating systems to determine when a patch will become available for their products.
At this time, there are no other actions users can take to mitigate this issue. Affected hardware and software will need to be patched once vendors release these security updates. Once these updates are released, vulnerability scanners will be updated to identify systems which are missing these patches.
Pratum advises all customers to continually update vulnerability scanning signatures and profiles to check for existence of these patches. Customers of Pratum’s managed vulnerability scanning service will automatically receive these updates and no additional action is needed.