Microsoft has released an emergency Out-of-Band cumulative security update in response to recently disclosed and industry-wide security vulnerabilities known as Meltdown and Spectre.
A brief high-level summary of these threats has been provided:
- Meltdown targets the isolation between user applications and the operating system, which allows a malicious program to access the memory of other applications and the operating system.
- Spectre takes advantage of the speculative execution in modern processors to exploit the isolation between applications, allowing arbitrary access to its memory.
Both recently disclosed attacks are processor-based security flaws that take advantage of a feature in modern processors.
In response to the disclosure of these vulnerabilities, software vendors have started the process of releasing patches for their products, which serve as a first step to help mitigate the exploitability of the attacks.
While this also affects end-of-life operating systems, at this time, Microsoft has released an update for the following:
- Windows Server 2008 R2 (SDSMerlin on-premise)
- Windows Server 2012 R2 (SDSMerlin Cloud)
For the SDSWIN application, patches will be available for newer servers (2010 or later). We will provide further communication on supported generations including firmware and software patches upon availability.
At this time, IBM is scheduled to release specific software patches on February 12th 2018.
These vulnerabilities do not allow an external unauthorized party to gain access to a machine, but could allow a party with access to a system to access unauthorized data.
In the first line of defense are the firewall and security tools that most organizations already have in place. The SERTI Cloud is already protected with both firewall and security monitoring.
Complete mitigation of these vulnerabilities involves installing patches to both system firmware and operating system. The firmware patch provides partial remediation and is required for the OS patch to be effective.
We are currently performing an evaluation and analysis of the impact that the Microsoft patches (for SDSMerlin) will have on our infrastructure in a test environment.
Once these tests are completed and conclusive, we will gradually start updating our infrastructure to ensure maximum protection based on available security updates.
We will provide more details on the steps taken by our technical teams to counteract this situation in the coming weeks...
JANUARY 29 2018 - UPDATE: The latest Microsoft updates have been applied to all SDSMerlin Cloud environments. We are continuing our validations, with the help of IBM, on SDSWin Cloud environments.