Initial Info about Meltdown and Spectre vulnerabilities

  • Hank
    Participant
    Post count: 2
    #93153 |

    The following was sent out to the Computer Support Newsletter (CSN) email group and I am cross-posting it here for any folks that are not subscribed to CSN. If you would like to subscribe to CSN for future updates, just send me an email (hank_scott@sil.org).

    A number of people have asked what they should do about the highly publicized vulnerabilities called Meltdown and Spectre which were reported this week. Aside from saying how awesome I think those names are, I’d like to share what we are learning in GTIS and our planned course of corrective action.

    To save people from reading this entire message, the bottom line for end-users is that they don’t need to worry about doing anything special right now. I don’t want to minimize the importance of taking eventual steps to ensure security! But for the next few days we are advising people to just keep working as normal and next week look for another CSN update where we will share more specific details and recommendations.

    Now for those of you who want a bit more information…
    I’m not going to rehash details here about how these vulnerabilities work or how potentially bad they could be, since there have been many news articles about that. Here’s one: https://www.cnet.com/how-to/how-to-fix-meltdown-spectre-intel-amd-arm-windows-mac-android-ios/
    I will say that just about every modern device with a computer chip in it has these vulnerabilities present. That includes PCs, laptops, smartphones, and many other devices. Since it is impractical for us to buy all new hardware, most vendors are developing software fixes (patches) which can be applied to eliminate the risk.

    Some of those patches are becoming available now, but many more will be released early next week. In collaboration with security specialists at other organizations who we are friends with, we are not recommending any extra-special system patching right now beyond what you normally do. This is because:

    – There does not appear to be widespread active exploitation (yet…)
    – There is still conflicting information on patches, performance issues, etc. and we want the dust to settle before we recommend a specific course of action.
    – System patches manually applied without following all of the proper prerequisite steps may even render your computer unusable.

    Next week another CSN will cover more details based on what is available at that time. In the meantime, we recommend that you continue to apply normal Windows Updates and other system patches (such as on your mobile phones) which come from your vendor, or which are recommended by your local IT support person. (for most of you in the IT Connect group, you are that IT support person!)

    There are also some known issues in Windows which require your antivirus software to be updated before Microsoft patches are applied, to prevent critical system crashes. Some AV companies have already released those software updates, and others are still working on them, but we expect most to be available early next week. Not only will you need to apply Windows Updates (or iOS / macOS updates, or updates to WASTA, Ubuntu, and other Linux derivatives, and Android updates) but you will also need to upgrade your browser to a new version, regardless of whether you are running Chrome, Firefox, Edge, IE, Safari, or another browser. Most browsers already update themselves automatically, so this will be part of the eventual fix.

    The SIL GTIS team is also in the process of applying specific patches now to our cloud-based enterprise systems, to keep them secure. Also for people working at the JAARS and Dallas ILC campuses, our network administrators are rolling out Windows Updates and AV software updates to all of the managed computers now, which are being installed via the normal automated update process. If you work at another office location with a network and you have questions about this, please contact your local IT support person. (Again for most of you in IT Connect this IT person is probably you!)

    If you are a techie or maybe the local IT support person and are hungry for more details on these vulnerabilities, and you have time to invest in this topic, check out this ARS Technica article which gives a pretty good overview:
    https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

    Next week I will pass along some additional info regarding applying patches to Windows servers, which may be a bit more complicated than for normal Windows workstations. Not sure right now if that will be part of the CSN update or separate, since CSN is generally more focused on power users but not network admins.

    Sincerely,
    Hank Scott
    SIL GTIS Director of Development

You must be logged in to reply to this topic.