[IGPP Everyone] [EPSS Everyone] Recently revealed critical vulnerabilities to most computer operating systems

SALYARDS, STEPHEN salyards at epss.ucla.edu
Fri Jan 5 10:41:49 PST 2018 

Greetings,
  You may have heard on the news about two recently revealed vulnerabilities that affect almost every computer operating system. Are you impacted - probably yes.

While the two vulnerabilities - Meltdown and Spectre - are a bit different, and Meltdown won't affect as many systems as Spectre, they basically are two approaches with the same outcome. The bottom line is that malicious code can be used to read the executing memory of the operating system. The vulnerability is so wide spread because it is based on the model of how almost all operating systems have used the processor memory for the last couple of decades.

I am not going to go into much detail here. First, the exploit is a bit technical and I am not going to try to condense it into an email. The links below contain two good articles that describe the issue.

Second, with the wide variety of systems that are vulnerable, I won't try to cover them all here.

In addition, this is a developing situation and more details and updates will probably be released as the issues are understood.

Bottom line - if an update is available for your computer or smartphone, have a look and seriously consider applying it. Mac OS and Linux systems updates have been addressing this for a couple of months now. Windows is catching up. Smartphone OS updates should be coming shortly.

There is a downside to the update: The vulnerability exists in a system designed to improve the performance of the processor and consequently the patch will likely reduce the performance of the device. See the articles below for a good explanation why. I can not uniformly say to apply the update, particularly to mobile devices, but desktops and servers should probably be patched as the updates are issued. We will be patching all department computers.

Some good references if you want more information. And again, this will probably evolve for a while so you might want to check back on these, particularly the first one.

This page seems to be a good starting point - It has a great FAQ and links to info from hardware, software and security providers
https://spectreattack.com/

For a narrative of what the major companies are doing, this article covers that (with an amusing level of snark)
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

The first technical description from Ars Technica - Detailed but a reasonably readable article for those who want gory details
https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

A good follow up to that article with less gory details and more response information
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igpp.ucla.edu/pipermail/everyone/attachments/20180105/8dcd9879/attachment.html>
-------------- next part --------------
_______________________________________________
Everyone mailing list
Everyone at dept.epss.ucla.edu
http://dept.ess.ucla.edu/mailman/listinfo/everyone

More information about the Everyone mailing list