Office of the Chief Information Security Officer

Meltdown and Spectre

Risk Advisory

Update (May 4, 2018)
Microsoft recently released microcode updates which can be applied to Windows 10 and Windows Server computers. If the hardware vendor is unresponsive or the computer is too old to receive the BIOS update, this patch can mitigate the Spectre 2 vulnerability.

The Microsoft-supplied microcode update:

  • Must be obtained and installed manually. It is not available through Windows Update.
  • Is not expected to have an adverse impact even if a BIOS update to mitigate Spectre 2 has already been applied.
  • Offers a benefit in large, managed environments, because it is likely easier to distribute this update via configuration management channels than to manage a large number of BIOS updates.
  • DOES NOT permanently patch the computer. This is a runtime fix. If the OS is reinstalled, this update must be reapplied, which would not be the case if a BIOS update is applied instead.

More information and relevant links can be found here:
https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates


Introduction
Information security researchers have found two major security vulnerabilities, dubbed “Meltdown” and “Spectre,” that affect the processing chips in almost every computer made in the last 20 years (including mobile phones, embedded devices, cloud computers, etc.).

These vulnerabilities could allow attackers to steal data, including passwords and other information previously thought to be inaccessible, from almost all types of computers and devices. The Meltdown vulnerability affects only Intel processors, whereas the Spectre vulnerability affects Intel, AMD, and ARM processors.

What to do

This is a complex security issue as it impacts multiple layers of computing. The firmware, operating system, web browsers, and antivirus software on devices all need to be patched. In general, users will need to:

  1. Apply available web browser updates.
  2. Verify that you are running a supported anti-virus (AV) program before you install your OS or firmware updates. Please check with your AV software vendor for compatibility information. Sophos users can visit https://community.sophos.com/kb/en-us/128060 for more information.
  3. Apply all available OS updates.
  4. Apply the applicable firmware update provided by the device manufacturer.

The tables below indicate the latest information we have on patches related to the most common configurations on campus. We will post updates as they become available.

Operating systems

OS

Version(s)

Patch status

Notes

Windows

(except for AMD-based devices)

10, 8.1, 7 yes Patch only works with compatible antivirus software
Windows AMD-based devices on hold More info:

https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Mac OS X High Sierra  yes
Sierra  yes
El Capitan  yes
Linux  possible Check details for your distribution
Android depends Check with your cellular provider
iOS
11.2 yes
Chrome OS
63 yes More info linked in References below

Web browers

Browser Patch status Notes
IE 11  available Included with Windows updates
Edge  available Included with Windows updates
Safari v 11.0.3 available Included in v 11.0.3
Firefox v 57.0.4  available Included in v 57.0.4
Chrome v 64 available Included in v 64

Check with your computer’s manufacturer for information related to the availability of firmware updates.

References
Meltdown and Spectre reference page published by researchers at Graz University
https://meltdownattack.com/

Chromebooks, Meltdown, and Spectre: Most Are Already Patched (blog post)
https://chromeunboxed.com/news/chromebooks-meltdown-spectre-patch

Google’s Mitigations Against CPU Speculative Execution Attack Methods
https://support.google.com/faqs/answer/7622138#chromeos

Apple OS security updates
https://support.apple.com/en-us/HT208465

Safari 11.0.3 update
https://support.apple.com/en-us/HT208475