2018 is here, and the New Year has quickly brought us our first major security issue.
This new threat affects virtually all endpoints with a modern processor including laptops, desktops, servers, tablets, and cell phones. These vulnerabilities, specifically called Meltdown and Spectre, were found by members of the Google Project Zero research team months ago and have the potential to allow malicious entities to steal sensitive data running in memory.
Since notifying technology organizations including Microsoft, Google, and Intel, work has been done on software patches to protect endpoints from this critical design flaw.
These flaws were originally scheduled to be made public by the research team on January 9th. However, given the “growing speculation in the press and security research community about the issue,” they decided to make the flaws public on January 3rd.
Microsoft in turn has released emergency patches for Windows 10 and Server 2016, and will be releasing patches for all supported operating systems on January 9th, including Windows 7, Windows 8.1, Server 2008 R2, Server 2012 R2. At this time, there is no indication that updates will be released for non-supported operating systems like Windows XP and Windows Server 2003.
It is important to note that given this has not previously been made public, no known exploits are being used in the wild at this time.
Even so, VCPI takes security very seriously, and we know that only time will tell how long it will take attackers to capitalize on this. As such, we are working internally on plans to patch all servers and endpoints when patches are made available. However, there is widespread consensus that the patches will cause some performance degradation, although how much will depend upon the workload on the endpoint.
Contact your IT department for more information on how you may be affected, and continue to educate your teams on security best practices.