Spectre (CVE-2017-5715 and CVE-2017-5753) and Meltdown (CVE-2017-5754) exploit hardware implementations of most modern microprocessor architectures, which may allow unauthorized disclosure of information to a cyber attacker.
Impact
At this point, there are no known exploits for these vulnerabilities. There is proof-of-concept code available exploiting both, and weaponization is likely only a matter of time. RiskIQ is in the process of validating and patching our environment.
RiskIQ Platform
Currently, we are awaiting final vendor patches to be released and are deploying across our multi-tenant environment as they are made available. Please note that these changes may require scheduled downtime. Additionally, RiskIQ crawling infrastructure does not appear to have been impacted by either vulnerability.
Corporate Environment
RiskIQ is actively patching our corporate servers and end-point machines.
Research
In addition to unauthorized disclosure of information to a cyber attacker with local user access, RiskIQ Research has also successfully produced viable code that suggests the Spectre vulnerability can be exploited from within a browser as well. This exploit, however, is not believed to be a viable method at scale. Exploitation of the Meltdown vulnerability through a browser is currently undergoing research and testing.
Disclaimer
This notice is for informational purposes only and is provided “As Is.” RiskIQ reserves the right to change or update this notice at any time. RiskIQ makes no warranty as to the completeness or accuracy of and assumes no liability for, the information and data contained in this report.