Meltdown [CVE-2017-5754] is a vulnerability due to a flaw found within computer processors that leave desktop and mobile devices (endpoint data) potentially vulnerable to various security issues. Meltdown is a hardware-related vulnerability that cannot be externally detected. It affects operating systems, specifically Intel x86, Qualcomm, and some ARM CPUs.
Risks
- Researchers have found that many computer chips leave sensitive information indirectly exposed in memory. As a result, attackers can use these flaws to access sensitive data, like passwords, or look at what tabs someone has open on their computer.
- Opens access to sensitive operating system secrets (Passwords, cryptographic keys, etc).
Mitigation
We recommend applying all available operating system updates as soon as possible:
This article will be updated with patch information for applications that we track, as it becomes available.
- Refer to the Mobile Software and Desktop Software risk vectors to find unsupported operating systems in your organization and update them to at least the versions listed below.
- To see if a company in your portfolio is vulnerable, use the “Software” filter in the Portfolio page.
| Operating System | Description |
|---|---|
| Mac OS, iOS | Available as Mac OS 10.3.2; iOS 11.2: https://support.apple.com/en-us/HT208394 |
| Google Android | Published, but relies on the phone vendor to make the update available to end-users: https://source.android.com/security/bulletin/2018-01-01 |
| Microsoft Windows 10 | Available: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 |
| Red Hat Linux | In progress: https://access.redhat.com/security/vulnerabilities/speculativeexecution |
| Ubuntu Linux | In progress: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown |
| Debian Linux | In progress: https://security-tracker.debian.org/tracker/source-package/linux |