January 2018 – Happy New Year!
Welcome back everyone! Welfare Call hopes you’ve all had a great break and a positive start to the New Year.
Over recent weeks you may have come across a lot of media coverage regarding potential security alerts with PC hardware – specifically Central Processing Units (CPU). Welfare Call would therefore like to cover this is more detail below so that you’re fully aware of the situation…
As part of our ongoing security assessments Welfare Call has received notification of two new vulnerabilities. These are called Spectre and Meltdown. Spectre is also known as CVE-2017-5753 and CVE-2017-5715 and Meltdown as CVE-2017-5754.
Welfare Call have carried out work to minimise the risk to clients’ data and will continue to monitor developments relating to these vulnerabilities. Where a further update is required, the severity changes or we perceive the risk to increase we will notify you again.
If you want to know more or want to know if this will affect the IT services you have access to read the details below.
These flaws relate directly to the construction of many modern Central Processing Units (CPUs). The hardware providers themselves and the providers of the software that runs on them are currently working on patches and mitigations to resolve the issue.
These new bugs affect many devices, including desktop PCs, servers, mobile phones, ipads and many more devices. The faults are actually in the computer’s hardware — specifically, in the central processing unit. They are not related to the Extranet or ePEP software produced by Welfare Call Ltd nor can we alter our code to mitigate these issues. As they are related to the underlying hardware they are more difficult to rectify.
Meltdown mainly affects computers using Intel based CPUs. It allows remote attackers to read from the CPUs memory (which may or may not have privileged or sensitive data in it).
There are two variants of Spectre – one that can expose all memory, the other that exposes a lot less.
Although both Meltdown and Spectre are hard to exploit – and there currently no known ways to use the exploit – it remains a risk, to computers online and within businesses today, including the servers we use to provide our service to you.
What are Welfare Call doing about it?
Internally, within the Welfare Call corporate network, we tightly control the software installed on our computers. Our antivirus solutions also minimise the chance of any potentially unwanted applications (PUAs) and malware from running. These procedures minimise the chance of malicious software exploiting the Meltdown and Spectre vulnerabilities and gaining unauthorised access to data. We also tightly control the websites available to our staff to minimise the chance of any new malware being run on the computers.
Any patches that are released for our internal infrastructure are reviewed and assessed for the potential impact before being deployed.
We contacted our hosting provider as soon as we were aware of these vulnerabilities. They have confirmed that all available patches have been applied. We have accessed the servers to confirm that the software is reporting correct versions that include the patch. The software running on the servers is tightly controlled and reviewed in the annual penetration tests to minimise the chance of any malicious software being used to exploit these vulnerabilities.
Is there a risk to the data held on Welfare Call Systems
We are confident that because of the control process for software on our servers and the patches that have already been applied that the risk was low initially and we have reduced the risk as far as is possible by installing the fixes available.
What should I (the client) do about it?
Clients should make sure their internal IT departments are aware of these issues and for them to update software to protect their computers. Clients should also be aware of a number of “fake” patches for Meltdown and Spectre that have been released which do not fix the issues but instead install other malicious software. A computer patched with the fake patches is at an even greater risk of data loss, security compromise or complete lock out including loss of access to all data both on that computer and all data accessible from that computer (eg your network shares). This follows a recent pattern where fake patches are released following the discovery of high profile vulnerabilities. These are designed to exploit people’s willingness to “secure their PC” as soon as possible. Only install software patches from known trusted sources. If you are unsure then consult with your local IT support service provider.
Where can I find out more?
The Internet has many articles on these vulnerabilities.
This is the first article we found : https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
Just this one website has pages of information regarding these vulnerabilities.
A list can be found here: https://search.theregister.co.uk/?q=meltdown&advanced=1&author=&date=m&results_per_page=20