Skip to main content

Security Alert: Critical update for servers, computers, mobile

Date:
2018-01-04 17:22:00
Status:
Open
Brief Description:
Two critical security vulnerabilities (Meltdown and Spectre) present serious risk to servers, cloud systems, laptops, desktops, and mobile devices. Consult with your department for guidance on updating university-owned computers.
Current Status:
Cornell is working to make patches available for university-owned devices as rapidly as possible (consult with your department for guidance). For personally owned devices, check for software updates and apply them immediately.
Services Affected:
Not Applicable
Full Description:
Two critical security vulnerabilities (Meltdown and Spectre) present serious risk to servers, cloud systems, laptops, desktops, and mobile devices. Consult with your department for guidance on updating university-owned computers. For personally owned devices, check for software updates and apply them immediately.

(*) University-owned Windows computers managed via Cornell's Endpoint Management Tools: patches are expected to be available January 5.

(*) University-owned Mac computers managed via Cornell's Endpoint Management Tools: details coming soon.

(*) Servers managed via Cornell's Managed Server service: Windows server patches are available for server owners to apply now. For VMware / ESX, the Managed Server team will apply patches in the next few days.

(*) Customers of Cornell's Cloudification service: System operators are responsible for applying operating system patches on AWS EC2 instances. Amazon has already patched the underlying infrastructure.

---------
DETAILS

Meltdown and Spectre allow programs to gain unauthorized access to potentially sensitive information. For personally owned devices, and for university-owned devices that ARE NOT managed via Cornell's Endpoint Management Tools or Managed Server service, check with your hardware and operating system vendors, including hypervisors such as VMware and Xen, for software updates and apply them as quickly as possible. Not all vendors have released patches at this time, so please continue to check for updates regularly.

High-level comparison:
https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

More detailed information:
https://www.bleepingcomputer.com/news/security/google-almost-all-cpus-since-1995-vulnerable-to-meltdown-and-spectre-flaws/

Technical details (research papers):
https://meltdownattack.com/
https://spectreattack.com/