אז אם במקרה אתם פה ועדיין לא שמעתם את החדשות - כל עולם אבטחת המידע קרס השבוע עם פירצה חדשה שהתגלתה ומקורה בכשל תכנוני בכל המעבדים שלכם. מתיאס גיינר כתב קטע קצר עם קישורים רלוונטים והוא כל כך מדויק שאני מעתיק אותו כמו שהוא לכאן:
Anyway, a few days later, the vulnerabilities got announced. As per usual, it got a logo (2!) and a website. SpectreAttack.com. From this day on, we’ll call them Spectre & Meltdown. Now that the details are out, the write-ups are coming, explaining the exploits with more clear examples. I specially liked this one from LWN.
Microsoft issued updates. Red Hat did too, as did most Linux distro’s. It’s a shame someone forgot to notify the BSD community though.
As if the bugs themselves weren’t serious enough, because of all the hype around it, the vulnerabilities were revealed a week earlier than planned. Turns out, if you hype the most serious vulnerability in the last decade, people go looking online. And they pieced together the bug from various sources, before the details were released. And in many cases, before vendors were ready with the patch. They all thought they had an extra week. Funny, isn’t it?
Meanwhile, props to Google for this bug. They followed-up on earlier reports of these vulnerabilities with some epic technical debugging. They even submitted patches to LLVM & GCC with new binary constructs for speculative execution.
To make a long story short, if you haven’t already, you will want to:
- Update the BIOS of your servers (make sure your vendor confirms they patched this)
- Update your hypervisors (KVM/Xen/VMware/…)
- Update all your servers (bare metal + VMs) with the latest kernel updates. By now, all major OS’s have patches.
- Just update everything that has a CPU in it