OIT addresses Meltdown and Spectre vulnerabilities

The Office of Information Technology is working with its campus partners to patch university-owned systems that are affected by the Meltdown and Spectre vulnerabilities.

Security researchers recently discovered and reported these vulnerabilities in processors. These bugs are similar in nature in that they allow malicious programs to exploit identified vulnerabilities and steal data (e.g., passwords, payment card information) from system memory of active programs.

The Meltdown bug affects every Intel processor shipped since 1995; Spectre is even more wide-ranging, impacting desktops, laptops, cloud servers, and smartphones. Basically, if it has a computer chip in it, it could be vulnerable to attack.

No real-world exploits have been reported yet, but unfortunately, no currently available security controls protect against these new bugs. Antivirus software and intrusion detection software won’t automatically identify these vulnerabilities.

Computer manufacturers and software vendors are still in the initial stages of delivering updates for these new vulnerabilities. As a result, you may see frequent updates and solutions as vendors add or improve patches to vulnerable components of your system.

OIT’s efforts to patch university-owned systems is ongoing. Refer to SysNews for updates.

For your personally owned computers, you should:

  • Pay close attention to patches and updates from your software AND hardware vendors. Microsoft and Apple have provided patches for the following operating systems:
    • Windows 7, 8.1 and 10
    • Mac iOS 11.2 and Mac OS 10.13.2.
      Mac computer users should check for updates in the App Store to confirm they have the latest patches installed.
  • Update your computer’s BIOS and firmware, operating system, and applications (particularly your web browsers) as soon as patches are available.
  • Ensure your antivirus software is up-to-date and turn on automatic updates.

For more information about the Meltdown and Spectre vulnerabilities, see the United States Computer Emergency Readiness Team (US-CERT) alert, Meltdown and Spectre Side-Channel Vulnerability Guidance.