Response to recent security vulnerabilities Meltdown and Spectre
Two new security vulnerabilities, termed Meltdown and Spectre, have been discovered in modern processors. These high profile vulnerabilities have recently received news coverage as they affect most modern computing devices and systems.
The Meltdown and Spectre vulnerabilities may allow attackers to use malicious programs to steal passwords, account information, encryption keys, or other sensitive data. Windows, Apple, Red Hat, VMware, Oracle, and other vendors have already released updates to address the Meltdown vulnerability. Please note that there are possible performance degradation impacts that will result from the Meltdown patches. Spectre, while more difficult to exploit, is unable to be fixed in software and will require manufacturers to create new hardware. It is important to watch for updates from manufacturers of your devices and operating system vendors. University policy requires that all systems must apply security patches to be compliant with the University's Security Patching and Technical Vulnerability Management standards.
The Meltdown and Spectre vulnerabilities affect many CPUs, including those from AMD, ARM, Intel, virtual CPUs, and the devices and operating systems running on them. There have been no reports of attackers exploiting the Meltdown vulnerability, however, security researchers have released proof-of-concept code demonstrating methods of exploitation.
What can you do?
The University’s Office of Information Technology (OIT) is working to test and apply critical Meltdown patches to OIT-managed systems as quickly and safely as possible.
Recommendations for personal devices and University devices or systems include:
Apply operating system updates as they become available after appropriate testing. Microsoft, Apple, the Linux community, and others have already released updates that begin to address the vulnerabilities and may release more as researchers learn about the vulnerabilities and their possible impact.
Apply other software updates as they become available after appropriate testing. Microsoft, Google, VMware, and Amazon are all issuing patches for their cloud offerings, for example.
Apply firmware updates as they become available after appropriate testing.
While it has been reported that the software updates could potentially slow performance, it is highly recommended that these patches still be installed. If you have questions about these security vulnerabilities, please contact email@example.com.