- January 13, 2021: Use the Findings page and updated portfolio filtering instructions.
Spectre is a vulnerability due to a flaw found within computer processors that leave desktop and mobile devices (endpoint data) potentially vulnerable to various security issues.
Risks
- It affects applications and most CPUs, where the attack surface is isolated to the application.
- Researchers have found that many computer chips leave sensitive information indirectly exposed in memory, and as a result, attackers can use these flaws to access sensitive data, like passwords, or look at what tabs someone has open on their computer.
Mitigation
While browser vendors are releasing patches for the vulnerability, the best method for addressing Spectre is as follows:
For your own organization:
- Using the Risk Vector filter in the Findings page, select the Desktop Software and Mobile Software options from the Diligence section to identify machines with outdated web browsers.
- Create a Diligence report with Desktop Software and Mobile Software selected to share the information across teams (IT, Executive).
- Update all web browsers used by your organization (see below for Spectre status of major browsers).
- Update all operating systems in your organization (see below for Spectre status).
- Act on new Spectre-specific operating system and browser updates as they become available and continue to do so until all of your organization's systems and browsers are patched against Spectre.
For third parties:
- Using the Software filter in your portfolio, select the Unsupported option from the Category section.
- Start by selecting major web browsers, e.g., Firefox, IE, Chrome, Safari.
- Run a Portfolio Impact Report to understand the scope of this issue across your Portfolio. See the Reports Repository for details on this report.
- For each affected company/organization, you can view more information about their use of unsupported browsers through their Mobile and Desktop Software risk vector details.
Web Browser Patch Status
As of January 25, 2018, these browsers are in the process of issuing updates so that end-users are no longer affected by Spectre.
| Browser | Description |
|---|---|
| Mozilla Firefox | 57.0.4 – see https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/ |
| Apple Safari | 11.0.2 – https://support.apple.com/en-us/HT208394 |
| Google Chrome |
|
| Opera | Opera 50 https://blogs.opera.com/security/2018/01/opera-mitigates-critical-cpu-vulnerabilities/ |
| Microsoft IE 11, Edge | (Version info not available) Included in this Microsoft Update: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 |