Meltdown and Spectre - What you need to know
By now you have likely seen one of many news reports about security vulnerabilities in computer chips like Intel, AMD, and others. We at Virid created this quick FAQ to help you make sense of the reports.
What is this Meltdown/Spectre issue anyway?
Security researchers have discovered that it's technically possible to trick certain computer chips into leaking whatever is in their memory to processes that don't have direct permission to access that information. The exploit takes advantage of a common feature of high-performance computer chips, which is why it's so widespread. The 'Meltdown' exploit applies mostly to Intel chips, but 'Spectre' spans many chip manufacturers.
I'm hearing that this is everywhere and is a really big deal - how worried should I be?
It's a big deal because it's the biggest and most widespread chip security vulnerability that has been found in recent memory (or perhaps ever). It's staggering in scope and, if used, could potentially expose even passwords and other secure information. That said, this is only a vulnerability—a theoretical weakness that was discovered by researchers.
There has been no evidence or reason to believe that anyone malicious found or used this weakness to access any information. The vulnerability that was discovered is very difficult to pull off and the raw memory dump that it yields isn't easy to get any value from. In short: for your average computer ne'er-do-well, this exploit is way more trouble than it's worth.
Should you immediately patch every chip-using device you have? Most certainly. You should do that anyway. Should you lose sleep over your mom's desktop being hacked via Meltdown or Spectre? Based on the information out as of now—no, I really wouldn't.
Is my marketAgility ecommerce site at risk?
In a word, no. Virid hosts all our clients sites on Microsoft's Azure platform. As soon as we heard of the issue we reached out through our Microsoft partner channels to get details on the mitigation plans. The security patches were already in progress across the infrastructure, and you may have even noticed the required site restart late yesterday. As of last night, the Azure services that we use to host your sites have been patched against this potential security risk.
We will continue to work closely with our partner, Microsoft, on any Meltdown or Spectre related security updates—as we do for all security issues. If any additional mitigation actions surface, rest assured we will address them immediately. As a PCI level 1 certified company, security is part of our DNA and we take it very seriously.
If you're not a Virid client, you should speak to your hosting company immediately to make sure they're installing the required security patches ASAP and will continue to monitor this vulnerability on your behalf.
Is my personal/work computer at risk?
Potentially. You should make sure that you have the latest version of the operating system on your computer. Most devices have a simple "check for system updates" function, which you can use on-demand to check that your device is up to date.
It's also best practice to set your system software to "update automatically" so whenever a new security patch comes out, your computer will install it as soon as it's available. For any work computers, you should talk to your internal IT team to ensure you're following corporate policies on system updates.