News

Update on processor vulnerabilities (Meltdown/Spectre)

The ACSC is aware of reporting that a variety of security products (e.g. antivirus solutions) are incompatible with Microsoft's patches for the Meltdown and Spectre vulnerabilities.

The reports indicate that the Microsoft patches will successfully apply, but will cause system disruptions. For this reason Microsoft is no longer offering the security patches until the security vendors certify their products to be compatible with the patches. The ACSC recommends that organisations consult Microsoft's support website and the support websites of their OEM device manufacturers and security product vendors for specific advice relating to patching for these vulnerabilities.

For more information, please refer to:

The ACSC's advice remains that organisations should patch Meltdown/Spectre vulnerabilities as soon as possible.

Recent media reporting has indicated that applying the patches for these vulnerabilities can lead to performance issues, and can impact on the availability of third party software. Vendors have advised that in most cases there will be negligible performance impact following the applicaion of the patches. For everyday users, the performance impact of applying these patches is unlikely to be noticeable.

Should organisations still be concerned about performance impacts, the ACSC recommends that you consider patching and testing plans in your environment prior to application.

For more detailed information, see 5 January 2018 update below.

What are Meltdown and Spectre?

Security researchers have developed methods involving speculative execution to read kernel memory from user space on a variety of processors from a range of vendors produced in the last decade. These methods have been referred to as ‘Meltdown’ and ‘Spectre’.

Meltdown is described as a vulnerability that allows a program to access the memory, and thus also the secrets, of other programs and the operating system. Meltdown only impacts Intel chips.

Spectre allows access to protected memory of other applications. Spectre impacts Intel, AMD and ARM chips, which includes some mobile devices.

Why is this important?

A malicious actor could possibly use this vulnerability to gain access to areas of memory they should not have permission to access. This could result in malicious actors obtaining sensitive data, such as passwords.

Many devices, including laptops, desktops and hardware in datacentres, may be vulnerable to Meltdown and/or Spectre. Vendors are working on (or have already released) patches to mitigate these issues.

While there is currently no indication that the vulnerabilities are being actively exploited by malicious cyber actors, the ACSC advises you to patch your devices as soon as possible.

What should I do now?

Patches have been released, or are expected in the near future, for various operating systems and applications likely to be impacted. This includes updates for various web browsers. Firmware patches from the vendors of affected hardware are also expected in the near future.

Some antivirus applications are currently not compatible with the security update released for Windows operating systems on 3 January 2018. Some users will have to wait until their antivirus software has been updated to apply this Windows security update. Microsoft have released guidance for Windows clients and servers.

There has been speculation that the deployment of certain patches potentially causes reduced performance. Vendors have indicated that in most cases they see negligible impact, however performance can vary. The ACSC is unable to quantify the impact, however recommends that organisations consider this in their patching plans.

For everyday users, the impact of applying these patches is unlikely to be noticeable. The risks or consequences of choosing not to patch are as yet unknown. We welcome advice on any performance impacts experienced as a result of patching.

Organisations should apply patches when available from the affected companies. It is advised that when available these should be implemented within the timeframes recommended by the ACSC (i.e. within 48 hours of release for extreme risk security vulnerabilities).

Advice for owners and customers of cloud services

Applying the patches may have a performance impact on processing capability. But on balance, the ACSC's advice is to patch systems to address potential security vulnerabilities.

Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) customers should have their environments patched by their provider. Customers should check the website of their provider to confirm the relevant patches have been applied.

Infrastructure-as-a-Service (IaaS) customers will need to apply the relevant patches to their IaaS instances.

Should you be operating at near maximum processing capacity, we recommend considering options to increase or manage capacity to minimise the potential impact of patching.

The ACSC is assessing the impact on cloud services listed on the Certified Cloud Services List (CCSL). The ACSC have engaged with these companies and they are taking appropriate action.

Relevant links

Vulnerability information

Processor vendor information

Operating system information

Web browser information

Virtualisation software information

Cloud service provider information

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies