January 7, 2018
On January 3, a set of vulnerabilities known as Meltdown and Spectre were announced. Meltdown and Spectre Vulnerabilities Update. Meltdown and Spectre vulnerabilities effect many modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. At this time, the industry is unaware of any active exploitation but given the scope of these vulnerabilities, it is expected that exploits will be developed.
Our products and services use several different operating systems and operating environments. Our vendors are in the process of evaluating the impact and applying appropriate remediation including patches and firmware upgrades.
For some of our on-premise products, it is important to note that although technically they have the same vulnerability, they are implemented on dedicated and hardened infrastructure making them closed systems and are not directly exploitable. Spectre and Meltdown leave equipment extremely vulnerable.
For our other SaaS products, many of our cloud/hosting vendors (including AWS, Azure, Rackspace) have already patched their environments, which greatly reduces our exposure. As a best practice, we will also be patching the guest operating systems.
IMPORTANT: Microsoft is actively developing patches to “close” these security holes. Microsoft patches also require a compatible version of anti-virus (AV) installed for the patch to run successfully. We will be actively receiving updates from our AV vendors to ensure we have the correct AV version to avoid any unwanted outcomes.
We are expecting final testing results from our vendors about mid to late next week and will advise our clients of any remediation or updates required at that time for the Spectre and Meltdown updates.