Things You Should Know About Meltdown and Spectre

*Note: This post originally went live on January 25, 2018 but will continually be updated with new information with updated post date. See below with dates of additional information.

On January 2^rd 2018, the press announced the existence of three significant vulnerabilities that could be exploited to provide significant security concerns. Razberi has been closely monitoring this situation since the announcement, and while the situation continues to change, here is a summary of what we know today:

• The vulnerabilities are not specific to any one vendor and take advantage of technologies used in most CPUs today. Therefore, most products with a CPU are affected (desktops, laptops, servers, cloud-based systems, smartphones, etc.)
• The vulnerabilities allow a rogue program to read data in memory that should be off-limits. While this data can only be read and not changed, this still allows a bad actor access to objects such as passwords that should not be available.  With the proper passwords, of course, full access to the contents of the system is obtained.
• Patches will become available for both the Windows Operating System and the system BIOS. Updates will also be required for browsers and JavaScript engines.
• We expect this situation will not be resolved with simply one set of patches; expect a continuing set of patches to be made available (particularly for Windows) throughout the coming months. Therefore, protecting your systems will require periodically updating with the latest patches.
• These processor flaws represent a serious security risk and should be taken very seriously. Researchers have been able to demonstrate hacks based on these flaws. However, at this time, there are no known malware exploits circulating on the Internet.
• Current anti-virus products do not directly prevent malware exploits of these three vulnerabilities.

Intel has provided the following summary chart of the three vulnerabilities:

As you can see, there are three vulnerabilities, two of which (Meltdown and Spectre variant1) are mitigated with a patch to Windows.  The remaining vulnerability (Spectre variant 2) requires both a Windows patch and a BIOS update.

For further information on the situation, you may wish to refer to the following links:

• Intel Security Advisory
• Google – What You Need To Know
• Microsoft – Protect your Windows Devices
• New Windows Update Requirements
• Vulnerabilities FAQ

Updates for Razberi Products (as of 1/29/2018)

Microsoft announced over the weekend they are releasing a new patch that disables the updated Intel BIOS fix for the Spectre variant 2 vulnerability.  The new Microsoft patch was issued as a quick fix for numerous reports of instability with Intel’s latest BIOS microcode.

Please note that Razberi units do not require this latest Microsoft fix since we have not released updated BIOS and will not do so until it has been proven stable.

Updates for Razberi Products (as of 1/22/2018)

Intel today announced some progress in the development of patch to the microcode for Variant 2 Spectre.  They are now also advising that users stop the deployment of updated BIOS until a new version is released.  Razberi will continue to be cautious on updated BIOS and will post revised versions only after significant testing.  Stay tuned here and we will advise Intel’s progress.

Updates for Razberi Products (as of 1/19/2018)

4056890. 1. Razberi recommends the immediate patching of the Windows operating system.
            • If your Razberi is Windows 10 based and connected to the Internet, it is possible that Windows has already applied the current update patch (KB4056890). To verify, open windows Settings > Updates & Security > View installed update history and look for the presence of KB4056890.
            • If your Razberi is Windows 7 based and connected to the Internet, it is possible that Windows has already applied the current update patch (either KB4056894 or KB4056897). To verify, open windows Settings > Updates & Security > View installed update history and look for the presence of either KB4056894 or KB4056897.
            • If the patch is not present and your unit was shipped with CylancePROTECT, you will need to run a software utility to re-enable security downloads. Please see here to download the utility.
            • If the patch is not present and you are using a third party anti-virus program (not Cylance), you likely have an AV program that is not currently compatible with the required Windows patches. Please contact your AV provider for further instructions.
            • If your Razberi is isolated from the internet, you will need to download the patch manually and apply it.
              • For Windows 10, please see here for a patch overview and here to download the patch. For installation instructions, please see here.
              • For Windows 7, please see here for a patch overview and here to download the patch. For installation instructions, please see here.

1. 4056890. 2. It is important that all browsers be updated as well. The above Windows patches will update Microsoft Edge and Internet Explorer 11.  Firefox should be at least revision 57.  Chrome should be at least revision 64 (currently in Beta and scheduled for release 1/26/18).
            3. A BIOS upgrade will also be required. The upgrades are not yet available because they are dependent on new microcode releases from Intel. The new BIOS will be posted here as soon as the microcode has been released by Intel, tested, and proved stable.