Why is this important? Many devices, including laptops, desktops and hardware in datacentres, may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to mitigate these issues. While there is currently no indication that the vulnerabilities are being actively exploited by malicious cyber actors, the ACSC advises you to patch your devices as soon as possible. What should I do now? Patches have been released, or are expected in the near future, for various operating systems and applications likely to be impacted. This includes updates for various web browsers. Firmware patches from the vendors of affected hardware are also expected in the near future. Some antivirus applications are currently not compatible with the security update released for Windows operating systems on 3 January 2018. Some users will have to wait until their antivirus software has been updated to apply this Windows security update. Microsoft have released guidance for Windows clients and servers. There has been speculation that the deployment of certain patches potentially causes reduced performance. Vendors have indicated that in most cases they see negligible impact, however performance can vary. The ACSC is unable to quantify the impact, however recommends that organisations consider this in their patching plans. For everyday users, the impact of applying these patches is unlikely to be noticeable. The risks or consequences of choosing not to patch are as yet unknown. We welcome advice on any performance impacts experienced as a result of patching. Organisations should apply patches when available from the affected companies. It is advised that when available these should be implemented within the timeframes recommended by the ACSC (i.e. within 48 hours of release for extreme risk security vulnerabilities). Advice for owners and customers of cloud services Applying the patches may have a performance impact on processing capability. But on balance, the ACSC's advice is to patch systems to address potential security vulnerabilities. Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) customers should have their environments patched by their provider. Customers should check the website of their provider to confirm the relevant patches have been applied. Infrastructure-as-a-Service (IaaS) customers will need to apply the relevant patches to their IaaS instances. Should you be operating at near maximum processing capacity, we recommend considering options to increase or manage capacity to minimise the potential impact of patching. The ACSC is assessing the impact on cloud services listed on the Certified Cloud Services List (CCSL). The ACSC have engaged with these companies and they are taking appropriate action. Relevant links Vulnerability information Google Project Zero Reading privileged memory with a side-channel Vulnerability websites Meltdown and Spectre: Vulnerabilities in modern computers leak passwords and sensitive data CVE sites CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 US-CERT Meltdown and Spectre side-channel vulnerabilities Processor vendor information AMD: Google Project Zero, Spectre and Meltdown Arm: Vulnerability of speculative processors to cache timing side-channel mechanism Intel: Intel issues updates to protect systems from security exploits Operating system information Android: Security Bulletin, January 2018 Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs Microsoft: Guidance to mitigate speculative execution side-channel vulnerabilities Red Hat: Kernel side-channel attacks SUSE: 'Meltdown' and 'Spectre' side channel attacks against modern CPUs Ubuntu: Ubuntu updates for the Meltdown / Spectre vulnerabilities Web browser information Google Chrome: Actions required to mitigate speculative side-channel attack techniques Microsoft Edge and Internet Explorer: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer Mozilla Firefox: Mitigations landing for new class of timing attack Virtualisation software information Citrix: Citrix security updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 VMware: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution Xen: XSA-254 Information leak via side effects of speculative execution Cloud service provider information Amazon Web Services: Processor speculative execution research disclosure Google: Googles mitigations against CPU speculative execution attack methods Microsoft Azure: Microsoft cloud protections against speculative execution side-channel vulnerabilities Related alert Processors can be exploited by Meltdown and Spectre vulnerabilities Content complexity Moderate This rating relates to the complexity of the advice and information provided on the page.
