What is it?
Meltdown and Spectre are two closely related security vulnerabilities that affect virtually all computers in the world. They stem from a flaw in the design of computer processors. The flaw has been present for years, but the discovery and exploit of the flaw was only just revealed last week (1/3/2018).
Meltdown and Spectre allow nefarious programs to access the memory of other running applications, examine, and potentially steal data. This could include confidential and sensitive data as well as account credentials such as usernames and passwords.
To date, no known breaches of data have been reported as a result of these flaws. However, the risk of future breaches will certainly go up, now that the flaw has been reported.
What’s being done about it?
Computer companies such as Intel, AMD, Microsoft, Dell, HP, etc., are working to provide patches that can mitigate the risks of Meltdown and Spectre. It’s important to understand that these patches do not eliminate the risk completely. The only way to completely eliminate the risk will be to create new processor designs that are not susceptible to them. That will take years.
The tech companies are attacking the issue from the “top down.” That is, they are focusing their efforts on servers first, then addressing desktops. This means that it may be some time before patches are available for all desktop computers, though most of our newer desktops will be patched soon.
Since the problem is primarily a hardware problem, patching software is not enough. Most vendors are recommending BIOS updates – erasing and updating the internal software of computer hardware. BIOS updates are uncommon in our environment, and the process to do this efficiently across thousands of systems is unknown at this time.
Department of IT Response
DoIT began patching for Meltdown and Spectre on 1/3/2018. The patching is complex, requiring multiple steps and reboots to accomplish. We anticipate reaching a 90% patch level by 1/19/2018.
As for BIOS updates, we are currently working on a plan to accomplish this, but do not have details at this time. Further details will be published to this page as they become available.
What can I do?
- Read email updates from DoIT carefully and follow instructions
- Save your work often
- Logoff your computer in the evenings, but leave the power on
- For mobile devices such as phones, tablets, laptops, bring them to campus and let them connect to the campus wireless. This should allow updates to be pushed to them.
- Patch your personal home computers, phones and tablets
For Further Information