Meltdown and Spectre

exec_bmccarter_blog.png

Updated on March 29, 2018


As reported by several media sources, a critical flaw in all modern CPUs could lead to disclosure of potentially sensitive information. These vulnerabilities are referred to as Meltdown and Spectre.

These vulnerabilities exploit the CPU hardware implementations, which are vulnerable to side-channel attacks. If the attacker is able to execute code with user privileges, it may enable the attacker to read information that would otherwise be protected within the kernel memory.  Most modern processors including: Intel, AMD, and ARM are vulnerable.

The issues are organized into three variants:

  • Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
  • Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
  • Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load, memory access permission check performed after kernel memory read

What is NAVEX Global doing?
NAVEX Global has been monitoring these vulnerabilities since first reported, and will continue to monitor these vulnerabilities in the days and weeks ahead.

To mitigate these attacks, Operating System, CPU microcode, and some application updates are being released. Microsoft currently has patches available for their Operating Systems and other software. After testing internally, these patches will be rolled out during our scheduled maintenance windows as follows:

Hosting
All servers have had Operating System patches applied.

Internal
All workstations and servers have been patched.

Additionally, NAVEX Global will apply patches to all affected hardware and software as manufacturer patches become available.

*Note: All hardware BIOS patches have been rescinded by the vendors for our equipment, so we have no patches to apply at this time.


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


You Can’t Delegate Ethics on the Issue of Sexual Harassment

Victims of sexual harassment have moved beyond simply speaking up; they are now standing up, speaking out and making sure their voices are heard. Today corporate leaders need to listen to the global conversation around the issue, and take bold and decisive steps to fundamentally change workplace culture.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Whistleblower Risks at the Supreme Court

Later this year, the Supreme Court will rule on whether whistleblower protections under the Dodd-Frank Act apply only to people who report misconduct to the Securities and Exchange Commission. That is, people who report misconduct internally would not be protected from retaliation. Compliance officers should prepare themselves. The implications of this decision could be profound.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments