What are Meltdown and Spectre?
Security researchers have developed methods involving speculative execution to read kernel memory from user space on a variety of processors from a range of vendors produced in the last decade. These methods have been referred to as ‘Meltdown’ and ‘Spectre’.
Meltdown is described as a vulnerability that allows a program to access the memory, and thus also the secrets, of other programs and the operating system. Meltdown only impacts Intel chips.
Spectre allows access to protected memory of other applications. Spectre impacts Intel, AMD and ARM chips, which includes some mobile devices.
Why is this important?
A malicious actor could possibly use this vulnerability to gain access to areas of memory they should not have permission to access. This could result in malicious actors obtaining sensitive data, such as passwords.
Many devices, including laptops, desktops and hardware in datacentres, may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to mitigate these issues.
While there is currently no indication that the vulnerabilities are being actively exploited by malicious cyber actors, the ACSC advises you to patch your devices as soon as possible.
What should I do now?
Patches have been released, or are expected in the near future, for various operating systems and applications likely to be impacted. This includes updates for various web browsers. Firmware patches from the vendors of affected hardware are also expected in the near future.
Some antivirus applications are currently not compatible with the security update released for Windows operating systems on 3 January 2018. Some users will have to wait until their antivirus software has been updated to apply this Windows security update. Microsoft have released guidance for Windows clients and servers.
There has been speculation that the deployment of certain patches potentially causes reduced performance. Vendors have indicated that in most cases they see negligible impact, however performance can vary. The ACSC is unable to quantify the impact, however recommends that organisations consider this in their patching plans.
For everyday users, the impact of applying these patches is unlikely to be noticeable. The risks or consequences of choosing not to patch are as yet unknown. We welcome advice on any performance impacts experienced as a result of patching.
Organisations should apply patches when available from the affected companies. It is advised that when available these should be implemented within the timeframes recommended by the ACSC (i.e. within 48 hours of release for extreme risk security vulnerabilities).
Advice for owners and customers of cloud services
Applying the patches may have a performance impact on processing capability. But on balance, the ACSC's advice is to patch systems to address potential security vulnerabilities.
Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) customers should have their environments patched by their provider. Customers should check the website of their provider to confirm the relevant patches have been applied.
Infrastructure-as-a-Service (IaaS) customers will need to apply the relevant patches to their IaaS instances.
Should you be operating at near maximum processing capacity, we recommend considering options to increase or manage capacity to minimise the potential impact of patching.
The ACSC is assessing the impact on cloud services listed on the Certified Cloud Services List (CCSL). The ACSC have engaged with these companies and they are taking appropriate action.
- Google Project Zero
- Vulnerability websites
- CVE sites
Processor vendor information
Operating system information
Web browser information
Virtualisation software information
Cloud service provider information