Why is this important?
Many devices, including laptops, desktops and hardware in datacentres, may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to mitigate these issues.
While there is currently no indication that the vulnerabilities are being actively exploited by malicious cyber actors, the ACSC advises you to patch your devices as soon as possible.
What should I do now?
Patches have been released, or are expected in the near future, for various operating systems and applications likely to be impacted. This includes updates for various web browsers. Firmware patches from the vendors of affected hardware are also expected in the near future.
Some antivirus applications are currently not compatible with the security update released for Windows operating systems on 3 January 2018. Some users will have to wait until their antivirus software has been updated to apply this Windows security update. Microsoft have released guidance for Windows clients and servers.
There has been speculation that the deployment of certain patches potentially causes reduced performance. Vendors have indicated that in most cases they see negligible impact, however performance can vary. The ACSC is unable to quantify the impact, however recommends that organisations consider this in their patching plans.
For everyday users, the impact of applying these patches is unlikely to be noticeable. The risks or consequences of choosing not to patch are as yet unknown. We welcome advice on any performance impacts experienced as a result of patching.
Organisations should apply patches when available from the affected companies. It is advised that when available these should be implemented within the timeframes recommended by the ACSC (i.e. within 48 hours of release for extreme risk security vulnerabilities).
Advice for owners and customers of cloud services
Applying the patches may have a performance impact on processing capability. But on balance, the ACSC's advice is to patch systems to address potential security vulnerabilities.
Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) customers should have their environments patched by their provider. Customers should check the website of their provider to confirm the relevant patches have been applied.
Infrastructure-as-a-Service (IaaS) customers will need to apply the relevant patches to their IaaS instances.
Should you be operating at near maximum processing capacity, we recommend considering options to increase or manage capacity to minimise the potential impact of patching.
The ACSC is assessing the impact on cloud services listed on the Certified Cloud Services List (CCSL). The ACSC have engaged with these companies and they are taking appropriate action.
- Google Project Zero
- Vulnerability websites
- CVE sites
Processor vendor information
- AMD: Google Project Zero, Spectre and Meltdown
- Arm: Vulnerability of speculative processors to cache timing side-channel mechanism
- Intel: Intel issues updates to protect systems from security exploits
Operating system information
- Android: Security Bulletin, January 2018
- Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs
- Microsoft: Guidance to mitigate speculative execution side-channel vulnerabilities
- Red Hat: Kernel side-channel attacks
- SUSE: 'Meltdown' and 'Spectre' side channel attacks against modern CPUs
- Ubuntu: Ubuntu updates for the Meltdown / Spectre vulnerabilities
Web browser information
- Google Chrome: Actions required to mitigate speculative side-channel attack techniques
- Microsoft Edge and Internet Explorer: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
- Mozilla Firefox: Mitigations landing for new class of timing attack
Virtualisation software information
- Citrix: Citrix security updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
- VMware: VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
- Xen: XSA-254 Information leak via side effects of speculative execution