Skip to main content

Information Security

Meltdown and Spectre Vulnerabilities

Meltdown and Spectre exploit a flaw in microprocessor design, and can possibly expose password and other sensitive information on any device that contains a computer chip.  All Apple and Windows-based computers are affected, as well as any device that features an Intel, AMD, Qualcomm, or ARM chip.

Information Services is closely monitoring this situation, and has created a plan to address and mitigate (to the best of our ability) the risks posed to our technology environment.  As patches are released for the microprocessors, they are installed in our development environment for testing and deployed as quickly as possible. 

Please be advised that we have established a critical update and patch window from 10:00 PM to 2:00 AM every night for the next two weeks (today through Sunday, January 21st).  This means that some systems may not be available to you during this time. 

Also, please be aware that this situation is very fluid, and some patches may break other software processes and functions, meaning that there may be additional patches that we will need to install at some point in the future.

We will be able to automatically deploy some patches to some University-owned computers within the next few weeks.  For all Windows-based computers, we will need to physically visit your computer to install the needed firmware update.

1)    Please check to make sure that your device is running the latest OS/iOS release.  If not, please install any update available for your device.  If you don’t know how to check whether or not your device is running the latest software version, please contact the Technology Help Desk at x5700.

2)    Reboot your device.  Some people never power off their device, and some software and OS updates (and reminders to install updates) are triggered by a reboot.  Periodically rebooting your computer/laptop/tablet/phone/etc. is a good idea anyway.

3)    Reboot your device daily for the next couple of weeks.  Numerous patches for numerous devices will be released in the following days, and it may be difficult to keep up with whether or not you need to download a patch.  Rebooting your device should help insure that you are notified that an update is available.

4)    If your device notifies you that an operating system or browser update is available, please install it.  PLEASE NOTE: do not click on any link in any e-mail that you may receive that tells you that you need to update your computer or other device.  We anticipate that there will be a number of phishing attempts that will try to get you to click on a link that redirects you to an unsecure website to harvest personally identifiable information, or one that will install malware on your computer.

 

1)    Check to see if you have BigFix installed on your University-owned computer.  BigFix is software that is installed on many University-owned computers that allows us to update and automatically deploy patches to your computer.  You can tell if you are running BigFix by looking at the bottom right of your computer screen.  You will see a number of icons.  Look for the following icon:

 BigFix icon

If you see this icon, it means that you have BigFix installed on your machine.  We will be automatically pushing needed patches to your computer once they have been released and we have had a chance to test them.  You do not need to do anything further.

If you do not see the BigFix icon, please contact the Technology Help Desk (x5700) or your school/college’s IT coordinator.

2)    Expect to get an email or phone call from us to schedule a time when we can physically visit your computer to install another needed patch (otherwise known as a firmware, or BIOS, update).

3)    Reboot your device.  Some people never power off their device, and some software and OS updates (and reminders to install updates) are triggered by a reboot.  Periodically rebooting your computer/laptop/tablet/phone/etc. is a good idea anyway.

4)    Reboot your device daily for the next couple of weeks.  Numerous patches for numerous devices will be released in the following days, and it may be difficult to keep up with whether or not you need to download a patch.  Rebooting your device should help insure that you are notified that an update is available.

5)    If your device notifies you that an operating system or browser update is available, please install it.  PLEASE NOTE: do not click on any link in any e-mail that you may receive that tells you that you need to update your computer or other device.  We anticipate that there will be a number of phishing attempts that will try to get you to click on a link that redirects you to an unsecure website to harvest personally identifiable information, or one that will install malware on your computer.

Please contact that Technology Help Desk at x5700, or your school/college’s IT administrator.

Also,

1)    Reboot your device.  Some people never power off their device, and some software and OS updates (and reminders to install updates) are triggered by a reboot.  Periodically rebooting your computer/laptop/tablet/phone/etc. is a good idea anyway.

2)    Reboot your device daily for the next couple of weeks.  Numerous patches for numerous devices will be released in the following days, and it may be difficult to keep up with whether or not you need to download a patch.  Rebooting your device should help insure that you are notified that an update is available.

3)    If your device notifies you that an operating system or browser update is available, please install it.  PLEASE NOTE: do not click on any link in any e-mail that you may receive that tells you that you need to update your computer or other device.  We anticipate that there will be a number of phishing attempts that will try to get you to click on a link that redirects you to an unsecure website to harvest personally identifiable information, or one that will install malware on your computer.

Please be aware that your browser(s) will also need to be updated.  Here is the link for more information on specific browsers

If you are in doubt about any of these instructions, please contact the Technology Help Desk at x5700.

 

Want more information?

The best way to explain this is to use an analogy, and here are two of the best analogies that found on the internet.

Here’s Scott Hanselman’s (@shanselman) explanation of Meltdown:

Explaining #Meltdown to non-technical spouse.

“You know how we finish each other’s...”

“Sandwiches?”

“No, sentences. But you guessed ‘sandwiches’ and it was in your mind for an instant. And it was a password. And someone stole it while it was there, fleeting.”

“Oh, that IS bad.”

Here’s Clay Shirky’s (@cshirky) explanation of Spectre:

Imagine a bank with safe deposit boxes. Every client has an ID card, and can request the contents of various boxes, which they can then take out of the vault.

The bank is concerned about security. People have to show ID, and can't walk out of the vault with stuff that isn't theirs. However, the vault is enormous, and the clients impatient. There are also many clerks. To speed things up, sometimes the clerks *guess* which boxes you want.

To enable this predictive fetching, they don't check whether you need the contents till after they've fetched it. Sometimes these guesses pan out, sometimes not, but nbd. If they bring something you don't need, you can just leave it there.

So here's the bug. The bank's protocol for checking ID, and for making sure you don't walk out with other people's stuff, are both good. However, the security for fetching safe deposit boxes is bad, because it is optimized for speed.

Once your ID checks out, the clerks trust you, just for a moment. If you show ID and ask for one of your boxes, #117254, you'll get it. But if you show ID and ask for #440587, you'll get to see the contents of someone else's box instead.

And you can do this again and again, asking to see the contents of boxes that aren't yours. You can't alter the contents, but you can know what they are. Over many iterations, you can learn the entire contents of the vault.

So the bank is the CPU, your requests are a program, the clerks are processes, and the deposit boxes are memory. A trusted program can ask process to fetch chunks of memory it has no right to. To enable fetching, checks on whether data is valid for a process only come later.


Or here is a simple graphic courtesy of the Wall Street Journal:

Wall Street Journal graphic explaining Meltdown

 

Further information on how these microprocessor flaws can leak passwords and sensitive data can be found on this website or article.  Google Meltdown and Spectre for many more resources.

 

1)    Please contact your manufacturer directly.

2)    Please check to make sure that your device is running the latest OS release.  If not, please install any update available for your device.  If you don’t know how to check whether or not your device is running the latest software version, please contact your manufacturer directly.

3)    Reboot your device.  Some people never power off their device, and some software and OS updates (and reminders to install updates) are triggered by a reboot.  Periodically rebooting your computer/laptop/tablet/phone/etc. is a good idea anyway.

4)    Reboot your device daily for the next couple of weeks.  Numerous patches for numerous devices will be released in the following days, and it may be difficult to keep up with whether or not you need to download a patch.  Rebooting your device should help insure that you are notified that an update is available.

5)    If your device notifies you that an operating system or browser update is available, please install it.  PLEASE NOTE: do not click on any link in any e-mail that you may receive that tells you that you need to update your computer or other device.  We anticipate that there will be a number of phishing attempts that will try to get you to click on a link that redirects you to an unsecure website to harvest personally identifiable information, or one that will install malware on your computer.