Meltdown and Spectre: High risk vulnerabilities you need to action now
Over the Christmas break last year, there were two new serious exploits announced that required patching across multiple areas: Meltdown and Spectre. These new exploits are the biggest and broadest vulnerabilities exposed for many years and it is important that systems, devices and applications are patched to close off the identified vulnerabilities.
Based on information released by Microsoft, the nature of these vulnerabilities will require updates to both hardware and software to mitigate the issues. To take advantage of all available protection, hardware/firmware and software updates are required across your business. This may include microcode from your servers, desktops, laptops, and mobile device suppliers, and in some cases updates to antivirus software as well.
The systems that need patching include:
- Server and Desktop and Laptop CPU bios and microcode security patches
- Virtual Server Hypervisors for VMware, Hyper-V and Azure
- Operating System security patches for Windows Servers, Desktops and Linux Servers
- Web browser security patches for all web browsers
- Application security patches for many applications that use or interact with web services
- SQL Database security patches
Meltdown and Spectre will also affect other systems such as Android, Chrome, iOS and MacOS so we advise customers to seek out guidance from these vendors. You will need to identify your own affected systems and take appropriate measures within your organisations and at home. We highly recommend that you consult with the vendors of your operating systems and computing devices for updates and instructions as needed. For Windows users, guidance has now been published and is available here. SQL Server patches are available for all versions of SQL Server from 2008 to 2017.
I’m an existing Professional Advantage Managed Services and Hosting client. How does this affect me?
With public disclosure of the security vulnerability, we have accelerated the implementation of vendor supplied updates and mitigation recommendations as soon as they become available. If you are an existing Professional Advantage hosting client, we have already patched the following as part of your hosting service:
- PA Hosting Virtual Server Hypervisors for VMware has been patched
- Azure infrastructure and the hypervisor layer below the operating system have been patched
- Operating System security patches for Windows Servers, Remote Desktops and Citrix Desktops and Azure Operating Systems have been patched
- Microsoft Internet Explorer 10 and 11 and Microsoft Edge
However, as mentioned above, there are some other areas outside the scope of our managed services that require steps to mitigate these latest threats. We are awaiting an update from HP to allow us to apply an HP patch to our PA Hosting server Firmware and Bios but the above mitigation strategies that we have completed already provides a level of protection while we wait for HP’s patch.
SQL patches are considered part of the application stack hence these are not patched as part of our managed service. For this reason, we have not patched SQL servers at this stage, but as mentioned earlier in this announcement, SQL patches are available for versions 2008 to 2017. If you would like your SQL Server patched, we can arrange for an application consultant to apply the appropriate patch. In some cases it will be a simple security patch, however, in other cases it may require a cumulative update rollup patch that may need testing.
Professional Advantage has already begun working with Microsoft and our industry partners including hardware OEMs and application vendors to protect our customers and have already patched many systems to mitigate these latest vulnerabilities.
Do you know the extent of your vulnerability?
If you are not sure about the level of your confidence to address these vulnerabilities, we can help! We offer a no-commitment, 1-day risk assessment and mitigation plan service to anyone who needs expert guidance in addressing Meltdown and Spectre.
Contact us at 1800 126 499 to speak to a Professional Advantage consultant or leave your comments below and we’ll make sure to get in touch with you for any assistance that you need.