Computer researchers have recently revealed that the main chip inside most modern computers and other electronic devices --- the CPU --- has a hardware design flaw, or bug. This flaw creates two serious security issues dubbed “Meltdown” and “Spectre”.

The design flaw in CPUs has been there since 1995 and affects most CPUs, regardless of manufacturer.  While the scope of the problem is not yet well understood, it is believed to affect nearly every modern computer and device with a CPU.

At this time, we know it affects the hardware that runs Microsoft Windows, Apple MacOS, Linux, FreeBSD, Google Android, Apple iOS, Apple tvOS and Google ChromeOS — that is to say, the bug is baked into most Intel, ARM, and AMD processors¹.  It therefore affects almost every server, workstation, desktop, laptop, smartphone, and tablet. 

This hardware flaw allows malicious programs to steal data that is held in your device's memory. Normally, applications are not able to do that because they are isolated in memory from each other and the operating system. The hardware design flaw breaks down this isolation.  Hence, a bad actor who gets malicious software running on your computer can access your passwords, emails, financial information, and more. This can be done via malicious code running on your computer, which could be as simple as having javascript on a web page you're visiting run in your web browser².  It is particularly a problem for cloud services, including Amazon Web Services (AWS), Microsoft Azure, and UT's own UT-VMG virtual machines.

Because these vulnerabilities affect the processors at the physical layer, the only way for the vulnerabilities to be fully addressed is for the processors to be replaced or to have a firmware update applied to the processors.  Therefore, addressing the vulnerabilities will most likely only happen through attrition, as machines are replaced with new machines; and this takes time. 

Until vulnerable systems are replaced, the makers of operating systems are releasing patches that make the physical-layer vulnerabilities inaccessible for exploit.

CNS OIT is working diligently to patch all machines on our network.  Unfortunately, the patching requires rebooting the machine, and this will be disruptive. It is also going to take time --– some of the patches are not even available yet. And some older machines with operating systems that are out of support may have to be replaced, as the operating system vendors may decide not to write patches for these OS's.

We ask that you keep your personal machines and devices (including smart phones and tablets) updated with the latest patches as they come out to protect yourself and the University from any risk.  Patches are now available for most major computer platforms, and we hope they will be coming soon for mobile devices.

Please note that at the time of this writing, there are no known active attacks against any of these vulnerabilities.  However, we believe there will be soon; and it is important that we patch machines quickly to get ahead of any attacks.  As always, we will continue to watch this event closely and provide any updates that we can as we learn more³.

And as always, if you have additional questions or need help securing your devices, please don't hesitate to contact the help desk at https://cns.utexas.edu/help (UT EID login required).

Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.

Footnotes:

¹ Meltdown is thought to potentially affect every Intel processor made since 1995 that implements out-of-order execution, with the exception of Itanium and some Atom processors. At the time of writing, it is not thought to affect competing processors from AMD and ARM.  The Spectre vulnerability, however, has been verified by researchers as affecting chips made by Intel, AMD and ARM.

² Most browser manufactures are working on web browser patches to help protect against this kind of attack at the time of this writing.

³ A good source of information and patch availability is located at https://www.us-cert.gov/ncas/alerts/TA18-004A