Posted By: ASK
Posted date: January 5, 2018
In: Enhanced Security Services, Security, Uncategorized
FROM THE DESK OF MIKE MADDOX:
In our last blog post, I provided an informational bulletin regarding recently discovered microprocessor vulnerabilities and the potential for these vulnerabilities to lead to security breaches. This is a huge issue that impacts all businesses and billions of devices. Over the coming days, hardware and software vendors will be issuing updates regarding their remediation efforts. These vendor updates will continue to clarify ASK’s operational response to this serious security issue. Our priority is keeping you informed about the operational impacts caused by this and the necessary responses.
For a comprehensive summary overview of this issue, ASK recommends the following sites for reference:
After our initial bulletin, two vendors have issued notices worthy of sharing with you immediately. They involve critical steps that should be taken by VMware customers and an announced plan for internet browser security from Google for the Chrome browser.
To define the issue: it was reported on Tuesday, January 2, 2018, that security vulnerabilities exist in most Intel, AMD and ARM processors. The vulnerabilities identified are being called “Meltdown: and “Spectre”. The processors and chips that are susceptible to these vulnerabilities are in almost every system (servers, workstations, and phones) manufactured since 1995.
VMware has released patches that are designed to mitigate the vulnerability. Deploying these patches is complicated and involves the consideration of many factors including:
- VMware version – If a customer is not running 5.5, 6.0, or 6.5 then the patch will require a version upgrade be done first. The ability to upgrade is dependent on the current version and the hardware. The upgrade required may not be compatible with the hardware which means that a hardware upgrade will be required prior to the version upgrade.
- Performance– Even in cases where the version is capable of being patched and the hardware is compatible, an analysis of hardware capacity needs to be conducted to ensure that the server can withstand the additional resources required by the patch itself.
- Planning– All upgrades and patches for VMware will require rebooting the server and therefore some amount of downtime.
For ASK Managed Services Clients– We are currently finalizing a customized and detailed plan of action for every client that will identify the approximate risk level, the version of VMware in place, and the hardware ability to handle the patch. We expect that analysis to be completed over the weekend. Once that is completed your ASK VCIO will contact you to discuss your environment in detail as well as ASK’s recommendation for applying the patch. As mentioned above, remediation may involve costs associated with software version, hardware, and service time. Your VCIO will provide all details next week and coordinate a plan for patch implementation in your environment.
Google Chrome Browser
On January 23, a new version of Google Chrome is going to be released which includes mitigations to protect your workstations and phones. Prior to January 23, individuals can turn on an “experimental” feature called Strict Site Isolation. Reference the CNET link above for information on this feature if you choose not to wait until January 23.
Mozilla, Microsoft (Edge and Internet Explorer), Apple (Safari) have all announced that they are working on or in the process of providing new versions that include mitigation of this vulnerability.
Thank you for your attention to this. ASK will continue to take every step possible to protect our clients from this vulnerability. If you have any questions or would like to discuss this further, please contact your ASK VCIO or Sales Person as soon as possible.
Contact us for more information about Live Security Monitoring at (517) 676-6633