By Matt Kwiatkowski, Cyber Security Operations Manager, BIS
You may have heard of the “Meltdown” and “Spectre” computer-chip flaws — two related vulnerabilities that make many computers, and some smartphones, susceptible to data theft or other attacks. How concerned should we be?
To start, the sky is not falling! Media will likely sensationalize the gravity of the problems, but in reality the fix is deploying patches.
Both vulnerabilities revolve around a hardware limitation with the main processor (called the CPU) in most computers. The computer is designed to separate and protect sensitive system data like passwords and encryption keys which keep our sensitive information secure. The Meltdown vulnerability allows an attacker to bypass these protection boundaries. This allows the attacker to read any or all of a computer’s memory which contains working copies of passwords and encryption keys.
Spectre is similar in nature but is web-based and could be exploited while a user is surfing the internet. This would allow a remote attacker to read any or all of the same sensitive system information.
(If you are familiar with virtualization technology, these vulnerabilities could also allow attackers to traverse memory used on systems within the physical cluster.)
So what can you do? Some patches are already available, and in the coming days and weeks, patches will be released by every affected software vendor. It will be imperative for you to patch your personal devices as soon as you get notification that a new version or patch of software is available. Read patching instructions carefully, as we have seen reports that applying patches in a certain incorrect order can cause your system to become unstable.
Argonne Cyber Security is monitoring the status of patches for our installed software and will apply them through normal means. We’ll also take active action to block intrusion attempts and prevent vulnerable systems from accessing the internet after systems have been updated.
If you have any additional questions, comments or concerns, please reach out to cyber@anl.gov or the BIS Service Desk at ext. 9999 option 2.