Intel Announced CPU Vulnerabilities
This week, Intel announced a set of vulnerabilities that affect every computer, phone and server with an Intel processor. These vulnerabilities have been assigned the names “Meltdown” and “Spectre”.
What is it?
Meltdown and Spectre both leverage a design flaw in Intel CPU hardware. This design flaw is estimated to have existed for approximately 20 years and could allow a malicious application to access protected information stored by other programs running on the computer.
Does it affect me or my company?
Meltdown and Spectre utilize flaws that exist in every computer, server, or cell phone with an Intel processor.
What do I need to do?
First off, avoid panic. This vulnerability has existed for 20 years and at the current time, there is no evidence that any malicious programs are utilizing this code.
The best thing that users can do right now is to practice caution. While we take this vulnerability seriously, you are still more likely to fall victim to a social engineering or malicious email scam than to be affected by this vulnerability negatively.
What is Worksighted doing?
We take your security very seriously. Since the moment the vulnerability was announced, we have been monitoring the situation and working on a plan of action.
What’s the next step?
Currently, all major vendors of hardware and software are working on patches to minimize the impact of these vulnerabilities. Worksighted will be actively monitoring the situation and will apply all available patches as soon as safe, effective, and stable patching is available and has been tested.
There have been some reports that patching to neutralize Meltdown and Spectre could cause performance issues. At the current time, the estimates of any performance issues have varied widely and have been mostly based on guesswork. Initial testing has shown very little performance degradation, which would likely be invisible to the end user. Because of the potential impact of these vulnerabilities, we consider any small performance degradation to be an acceptable cost.
There is a lot of information in the media regarding these announcements. Much of it is conflicting, and in some cases, a large amount of speculation is taking place. Currently, we consider these vulnerabilities to be high impact, but low risk. At this time there is no evidence that any systems have been attacked using this set of announced vulnerabilities. We continue monitoring potential threats and adjust our response if evidence of any real-world attack comes to light.
If you are a current Worksighted client and have any questions or concerns about this, or any other threat, please contact your Account Executive. If you are not a current Worksighted client and would like to speak to someone about this threat, please drop us a line.