Updated: Addressing Third-Party Security Vulnerabilities

January 10, 2018 Attaullah Malik


Cyber hell broke loose when news surfaced that two computer hardware vulnerabilities known as Spectre and Meltdown were being abused to read CPU cache as a side-channel, creating security vulnerabilities in a wide range of computer processors. These issues were discovered and reported by security researchers at Google Project Zero, Graz University of Technology, and Cyberus Technology. As is the case for many other companies, Watermark’s product infrastructure uses the hardware that is impacted by these vulnerabilities.

The Spectre bug has two different variants: ‘bounds check bypass’ and ‘branch target injection’ which take advantage of the branch prediction mechanism. A branch prediction is a way for the CPU to predict which information will be needed next and retrieve that proactively to improve the performance. The Spectre vulnerability can be exploited by using the branch prediction to trick user processes into executing instructions that will leak sensitive information to the processor cache. This can then be accessed by a hacker. The Spectre bug impacts processors from Intel, AMD, ARM, and Qualcomm.

The Meltdown bug has affected Intel processors since 1995, but was only discovered and reported to Intel last year. It is related to the Spectre bug, in that it uses an out-of-order execution mechanism to read sensitive data in the cache, such as passwords, emails, and web history used by other processes onthe same system.

Has Meltdown or Spectre been exploited by hackers?
No one knows for sure since both exploits leave no trace behind.

What is impacted?
Most servers, desktops, laptops, smartphones, tablets, and cloud services.

Is there a solution out there for these security vulnerabilities?
Google, Amazon, Microsoft, Apple, Linux Distributions, and Cloud Software vendors have been working with the security researchers and processor manufacturers on releasing and distributing the patches for both bugs. Some patches have already been released and others are en route.

Are there any side effects of applying the patches?
The patches have reportedly slowed down the processors on some systems by as much as 30%.

What is Watermark doing about it?
We are aware of the issues and have been monitoring systems closely. We are actively testing and patching the systems since their release. Due to the performance effects mentioned above, we are undergoing thorough testing to make sure there will be little to no impact on our customers. We anticipate any performance impact to be negligible.

When do you expect to complete patching all systems?
It should be noted that in the rush to address the Meltdown and Spectre vulnerabilities, some software vendors have released clumsy patches and have since pulled them after user complaints. In addition, not all vendors have released the patches yet. Watermark is continuing to test all available patches extensively and has applied only the safest ones to our systems. We will continue to test and apply the patches as they are made available by the software vendors. Ongoing updates will be provided here as we apply patches.

Is there system downtime required to patch the systems?
Yes, all systems will require a small window of downtime for this maintenance work, and customers will be notified in advance. This downtime maintenance will be scheduled for early morning hours. In the meantime, we plan to continue to monitor all systems and do not expect any other impact on our users.

Where can I find more information about Meltdown and Spectre?
If you wish to learn more about these third-party vulnerabilities, please visit the Graz University of Technology webpage and Google’s Project Zero’s blog.

We will provide an update once patching is complete. As always, if you have any questions, please feel to reach us at 800-311-5656.


Previous Article
Hold us up to the light…and see the Watermark
Hold us up to the light…and see the Watermark

As you may already know, 2017 was an important year for our company. In March, Taskstream and Tk20 joined f...

Next Article
Commitment to Faculty Data Supports Vitas, Strategic Decisions at Indiana State University
Commitment to Faculty Data Supports Vitas, Strategic Decisions at Indiana State University

With the support of the faculty senate and key administrators, Indiana State University has moved to a full...