As you may be aware, computer security researchers recently discovered several flaws in the microprocessors of nearly all modern computers (including cell phones, tablets, etc.). This has led to two new vulnerabilities, called Meltdown & Spectre. If exploited, these vulnerabilities can result in the unauthorized disclosure of data being processed by - or stored in - your computer’s memory (e.g., passwords, personally identifiable information, etc.).
Penn is taking a number of steps to ensure that University systems and software are patched as soon as possible, that resources are available to assist you with questions or concerns, and to monitor for changes in the threat level. Where possible, we will also monitor for and block attacks at the campus firewall. Please direct any questions related to Meltdown and Spectre to ISC Information Security Office at (215) 898-2172 or security@isc.upenn.edu.
Quick Summary
- Keep all systems and applications patched (including mobile and personal devices).
- Talk to your local IT support providers (https://www.isc.upenn.edu/get-it-help).
- Don’t panic and please stay tuned. At the time of this writing, there is no evidence of active exploitation of these vulnerabilities, but this situation continues to evolve.
Detailed information on Meltdown and Spectre is provided in the following sections with additional resources listed on this webpage right-hand banner.
The discovery of several flaws in computer processors have led to two new vulnerabilities, Meltdown & Spectre. These vulnerabilities can result in the unauthorized disclosure of data being processed by, or stored in, your computer’s memory (e.g., passwords, personally identifiable information, etc.).
Meltdown and Spectre affect processors from a variety of manufacturers (Meltdown primarily affecting Intel chips and Spectre affecting Intel, AMD and ARM). Almost every modern computing device (including phones, tablets, gaming systems, etc.) uses one of these processors, so the scope of impact is broad.
The complete way to fix this problem in the future will be to either replace the processor or upgrade its code. Both of those actions are likely to be difficult and/or expensive. As a stop-gap measure, software patches for common operating systems (Windows, Mac, Linux, etc.) and applications (MS SQL, Oracle, etc.) are being released and can help mitigate the vulnerability.
There are still a number of outstanding concerns:
- The software patches may negatively impact some systems (i.e., up to 30% decrease in performance) worse than others.
- Not all applications may be patched by vendors. Not all applications or operating systems may have patches released in a timely fashion (e.g., before exploits begin occurring in the wild).
- The software patches are a work-around, not a final fix, so may need further updating later.
For these reasons, this is an evolving, and likely to be long-standing, problem that will not be fully or easily remediated in the short term. However, it can be greatly mitigated through diligent response and monitoring, so please stay tuned to the issue.
- Work with your local IT support provider to ensure that you have minimized the risk by applying all software updates (both operating system and application) provided by the manufacturer. If you are unsure who your support provider is or how to reach them, please visit: https://www.isc.upenn.edu/get-it-help.
- Don’t panic and stay tuned. This is an evolving issue.
- Central/ISC systems are being patched as soon as patches become available at the earliest, and in accordance with normal planned patching schedules (weekly, monthly) at the latest. If exploits are known to be occurring, all available patching will be expedited.
- ISC is working closely with supported hardware and software vendors to understand risks particular to different platforms and the most expedient mitigation paths available.
- In addition to the support from local IT staff, ISC will also work with Penn’s IT community to schedule custom ‘office hours’ sessions on this topic at the “Tech Center” in G-102 in the Van Pelt Library if needed.
- Information Security is working with Schools and Centers to evaluate risk, monitoring all channels for news, information and/or evidence of the vulnerability being exploited in the wild, and alert the community as updates occur. (Currently there has been no active exploitation reported).
- When/where possible, we are monitoring and blocking for attacks attempting to exploit either of these vulnerabilities at the campus firewall. (There are currently only a few rules available at this time, although we expect there to be more later).