Vulnerabilities affecting all personal computers, mobile devices, cloud servers and providers
Please see the updated UISO recommendations section. Apple has released updates to address the Meltdown vulnerability and a link to Apple's security update page has been added.
A complete mitigation strategy for Spectre is still in progress. However companies have released patches to reduce the likelihood of exploitation through a web browser. Below is a list of some widely used browsers and information regarding patches. If your browser isn't listed, please check with the vendor for guidance.
- Mozilla released Firefox version 57.0.4, which mitigates Spectre.
- Google will release updates for Chrome 64 on Jan. 23 that mitigate Spectre. In the meantime, can be used.
- Microsoft released for Microsoft Edge and Internet Explorer to mitigate Spectre.
- stated that they will release updates for Safari on macOS and iOS soon.
On Jan. 3, details were released about two major called "Spectre" and "Meltdown". These are part of a new class of vulnerability that exists at the level of a computer processor's architecture, as opposed to existing in software or in the physical central processing unit itself. This class of vulnerability can impact an extremely wide variety of devices and is difficult to detect on a system.
- Versions of macOS and iOS. Please see Apple's security updates for systems running or .
- versions 7,8 and 10.
This list only represents widely used platforms. Because this vulnerability has a wide impact, if your platform or software isn't listed in this bulletin, please check with the vendor for guidance.
The UISO has not detected active exploitation at IU at this time.
- Regarding Meltdown: The UISO recommends that relevant vendor patches are applied. It has been reported that the fix will reduce the performance of Intel chips by between 5 and 30 percent.
- Apply Apple's security updates for systems running or .
- Apply Microsoft's security update for systems.
- Apply the patch for systems.
- Regarding Spectre: since work is still being done to develop for Spectre, please monitor relevant vendor email lists and pages for any updates.
If operating system patches cannot be applied, vendor-issued patches to (Google Chrome, Mozilla Firefox, Internet Explorer) should be installed. Please note that patching browsers only mitigates exploitation from one possible vector, and would do nothing against other possible vectors and exploit chains.
- Meltdown website.
- In Windows, how do I safely upgrade to the latest security software
- Technical paper for .
- Technical paper for .