+353 (0)1 293 2500 info@cwsi.ie

      Two major vulnerabilities discovered affecting almost all devices on the market have been dominating the headlines recently, stretching beyond the normal tech news and into mainstream media.

      This is for good reason; these vulnerabilities, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), affect a very basic CPU function known as speculative execution which is used in all modern CPUs.

      What is speculative execution?

      To improve performance, a CPU may predict and execute instructions ahead of time. If these predictions are incorrect they will be rolled back silently and invisibly without affecting running applications, however if correct, the execution can continue much faster for the software requiring them, thus improving performance.

      Why is this a problem?

      Although exploitation can be difficult, while undertaking speculative execution, some information may occasionally be left in memory and not cleared down, leaving it exploitable to a potential attacker.

      Staged demonstrations of the exploits have allowed for the collection of passwords and other sensitive data, including from kernel memory; a potential exploit may be possible via a browser with malicious JavaScript, enabling remote theft of personal information through the Spectre exploit.

      There are, however, no known exploits of this in the wild today as confirmed by Google, Apple and others.

      Notable mobile devices at risk include the Galaxy S8, S8+, Note 8, Google Pixel 2 and Pixel 2XL, as well as iPhone, iPad, Mac and Apple TV.

      How is this being resolved?

      Intel is working with ARM and AMD to fix this at the hardware level, however Apple, Google, Microsoft and others are also patching this via software.

      • Apple released mitigations as part of iOS 11.2, macOS 10.13.2 and tvOS 11.2 with more to come including for the Safari browser.
      • Google have released January 2018 security update which includes mitigations against attack. For the Chrome browser, Google suggest enabling site isolation
      • Microsoft released security updates on January 3rd to mitigate attack for Windows devices, and a cumulative update for Windows Phone devices shortly after.
      • MobileIron: 
        Please also see 16/01/2018 update post here.  

        Meltdown potentially impacts systems running MobileIron server products. This includes MobileIron physical appliances. An attacker who gains unprivileged access to a vulnerable system could potentially extract memory from other processes or VM’s.MobileIron Core, Sentry, and Cloud product deployments are less prone to this kind of attack as the system does not normally allow unprivileged users to run arbitrary programs. However, MobileIron is working to release patches to protect customers.

        MobileIron will be releasing necessary updates across our products with the respective patches applied.  We will keep you informed on the release date.

        Customers with a upgrade or platform management subscription will be contacted asap to plan the intervention.
        Customers using virtualization will want to apply patches from their hypervisor provider as well.
        You can follow MobileIron’s article on their Security page on the knowledgebase  https://community.mobileiron.com/docs/DOC-5739

      • VMWare AirWatch:
        Shared SaaS: The VMware AirWatch SaaS Service team is currently evaluating, identifying, and patching affected systems in our SaaS environments related to vulnerabilities described in CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown).Dedicated SaaS: In the event VMware AirWatch must perform maintenance that will affect our service availability to our SaaS dedicated customer environments, AirWatch will work with you to determine suitable scheduling of these activities.

        On-Premise: On-Premise environments managed by customers should be remediated in accordance with the guidance document provided by your operating system vendor(s). VMware AirWatch is in the process of evaluating shipped products to determine whether patching is necessary. At this time, VMware AirWatch has not identified any AirWatch products requiring software patches.

        You can follow vmware’s airwatch article at https://support.air-watch.com//articles/115015960907-Security-Vulnerability-CVE-2017-5753-CVE-2017-5715-Spectre-and-CVE-2017-5754-Meltdown-

      How to protect devices from attack

      First and foremost, ensure devices are updated – for Windows and iOS/macOS devices the updates will be immediately available, for Android devices the security patch is available already for some devices, but still in progress for others. Check frequently.

      Secondly, CWSI has always recommended only installing applications from reputable sources, such as official app stores, and for this issue our advice is no different; installation from 3rd party locations is the leading source of malware infection on mobile devices.

      Finally, for additional protection, temporarily disabling JavaScript in Chrome, Safari, FireFox and other browsers to reduce the opportunity of attack may be considered.

      Note: For iOS devices, it is possible to disable Javascript in Safari via an MDM restriction as per screenshot below. This example is from MobileIron but any MDM vendor will be able to leverage this restriction as its a standard Apple control.

      For Android Enterprise, it is also possible to disable Javascript on managed Google Chrome. Again a sample screenshot from a MDM config is shown below.

      If you wish more detail on these controls or anything else in relation to this advisory please don’t hesitate to contact us.

      In closing

      While these vulnerabilities are severe, it is worth reiterating that there are no known exploits in the wild. Meltdown requires the installation of local software in order to achieve an exploit and Spectre is considerably more difficult, requiring perfect timing, in order to do so.

      As long as devices are kept up to date as mitigations are deployed, customer devices should be safe.

      For questions or concerns, please reach out to support@cwsi.ie or reach me directly below.

      Jason Bayton | Senior Consultant & Android SME | CWSI | +44 (0) 7920 952 999 | jbayton@cwsi.co.uk | www.cwsi.ie | Twitter | LinkedIn

      May we help you?

      Let us turn your mobility challenge into an opportunity.

      To find out more, please call us:

      UK: +44 (0) 2036 515 392
      Ireland: +353 (0)1 2932 500

      Let us keep you posted - subscribe to our mailing list:

      You have Successfully Subscribed!