Spectre and Meltdown are two critical vulnerabilities that have serious implication for schools. This is because these design flaws affect any computer or mobile device equipped with AMD, ARM, and Intel processors.
These hardware bugs can leave you highly exposed to a significant security threat. Also known as Spectre CVE-2017-5753 and CVE-2017-5715 and Meltdown CVE-2017-5754, these vulnerabilities in the hardware can be exploited to conduct side-channel attacks (where malicious programs gain access to sensitive data stored on the physical device).
Spectre and Meltdown Explained
Hardware vulnerabilities like Meltdown can be exploited to access the contents of the kernel memory using an unprivileged user process. Spectre can be exploited to access data (like login cookies from browsers) from other running processes. What makes it worse is the fact that malicious techniques like time-based data extraction make these attacks very difficult to detect with traditional tools.
Spectre and Meltdown will have an impact on the following:
- Desktop and laptop computers regardless of the operating system (OS)
- Smartphones
- Tablets
- Servers (including virtual machines)
Processors affected by Meltdown are as follows:
- ARM processors (Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75)
- All out-of-order Intel processors released between 1995 to 2017 (with the exception of pre-2013 Atoms and Itanium)
If your school computers are equipped with AMD processors, you won’t have to worry about being affected by Meltdown. But this doesn’t mean that you’re in the clear as you’ll have to deal with the Spectre bug.
Processors affected by Spectre are as follows:
- AMD processors
- ARM processors (Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75)
- Intel processors
What Should School Leaders Do?
Responding to these threats isn’t straightforward since each variant of these bugs will demand a different approach. Each approach will also have a considerable impact on workloads.
For example, Spectre variant CVE-2017-5715 requires a firmware upgrade while Meltdown and Spectre CVE-2017-5753 can be resolved through software migration. Spectre will also require updates to the compilers, recompiled applications, and the OS.
The easiest way to respond to this situation is to replace all the hardware on campus, but this approach isn’t ideal as it will break the bank. Instead, educators should work closely with vendors to review, monitor, and test all the latest patches and firmware updates before applying it to all in-house devices. At the same time, all available OS updates should be downloaded and installed to ensure protection.
Testing is important because you may run into some problems like patches coming into conflict with third-party antivirus programs. With all the different types of computers and mobile devices on the school network, there might also be a variety of capability issues.
You’ll also have to prepare for some performance issues when the hardware vulnerabilities are mitigated through software patches.
It’s still early and the primary focus at the moment is to efficiently mitigate the security threat. Once that’s done, these patches will probably be optimized to enable better performance. However, you have to understand that there are multiple variables involved (like the workload in question and technology involved), so each workload and environment might yield different results.
At present, the tests conducted at the Center for Computational Research, State University of New York (SUNY), University at Buffalo found that the worst case performance hit can be as high as 74% for select functions like file metadata operations and MPI random access. Real-world applications saw a 2 to 3 percent performance hit for single node jobs and 5 to 11 percent performance decrease for parallel two-node jobs (which won’t be obvious to the average user).
If you’re just starting the process of responding to Spectre and Meltdown, it will be a good idea to first turn on site isolation in your browsers to prevent malicious code from exploiting these vulnerabilities.
With all the different variables and complexities surrounding these hardware bugs, mistakes can have serious consequences.
Overwhelmed school IT departments will be better off engaging a third-party managed service provider (MSP) to help run internal tests (on a case by case basis) and deploy all necessary updates and patches on all school computers, servers, and mobile devices. To get you up to speed with Spectre and Meltdown, why not partner with an established MSP with extensive experience in the education industry?
MECS is a full-service technology company that helps educational institutions effectively leverage technology to meet their objectives while maintaining enhanced security.