Spectre and Meltdown Exploits
What are Spectre and Meltdown?
These are two exploits that take advantage of a vulnerability that has been discovered in most modern processors found in desktop computers, laptops, servers, smartphones, and tablets. These processors have optimizations that let them preload bits of data associated with the data currently in use. While this speeds up the processing, security researchers discovered that this preloaded data can be accessed by the Spectre and Meltdown exploits. This was made widely known to the general public in January 2018.
What is the risk?
These two exploits peek at a processor's preloaded data. If an attacker is able to run code on a device, they can use these exploits to read data they wouldn't ordinarily be able to see, like passwords or security certificates.
What is CUIT doing?
CUIT is testing the patches recently released by our system providers and will deploy them using our system management software. Our managed customers should allow the patches to run as quickly as they are notified by CUIT’s patching systems.
CUIT is also in contact with local IT departments across the University and is advising our non-managed customers to keep their desktops, laptops, smartphones, and tablets up-to-date with patches and system updates. Additionally, we are recommending to be sure to keep your antivirus software updated as well.
What can I do?
Apply Update Patches
For computers, smartphones, and tablets that you own and manage yourself, make sure you enable automatic updates. This way, you'll get the latest patches as soon as they become available. If you have a CUIT-managed computer, please visit our macOS patching page or our Windows patching page.
Out-of-date antivirus definitions could interfere with patching. Keep your antivirus software up-to-date as well.
Patch Recommendations
The following recommendations are based on testing by CUIT's Client Device Engineering department on our managed computers and mobile devices.
Patch Recommendations
Currently under evaluation
-
6.1.7601 - Windows 7 - Monthly Rollup Patch
- FireFox is patched with version 57.0.4
- FireFox ESR 52 is not known to be affected.
- Google Chrome will be patched on January 24 with version 64.
- Safari 11.0.2 is patched to protect against the vulnerability according to Apple.
None at this time.