Online Support

Meltdown and Spectre vulnerabilities

You may be aware of the recent reports regarding the Meltdown and Spectre hardware bugs affecting Intel, AMD and ARM computer processors. These vulnerabilities were discovered by a number of security researchers and first reported on Wednesday 3rd January 2018. This update summarises what we know about the problem so far and what we are doing to address the issue.

What are Meltdown and Spectre?

Meltdown can be summarised as a flaw that could potentially allow hackers to bypass the hardware barrier between applications run by a user and the computer’s memory. This could potentially allow an application to read the data of another application.

Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.

You can read more on both at https://meltdownattack.com

What devices are affected?

From what we know so far, Spectre affects all modern processors including Intel, AMD and ARM. You’ll find a CPU built by one of these manufacturers in most laptops, desktops, smartphones, tablets and servers. Meltdown at present is believed to affect only Intel processors manufactured since 1995, with the exception of the Atom and Itanium made before 2013

Are servers I have with Storm affected?

Many of our servers make use of Intel Xeon processors and as such are being addressed by our server admin team. Patches for Meltdown are currently being applied to our Shared hosting servers and Public Cloud infrastructure and we expect the majority to be patched by the end of the weekend. Patches for Spectre will be applied as and when they become available.

The above work however WILL NOT patch individual Dedicated servers or Cloud servers. Each server needs to be patched at the Operating System level and depending on the server’s OS, it is recommend to apply the relevant Windows or Linux patch as soon as it's available.

If you have a dedicated or cloud server with us and would like us to apply the relevant patch for you, please click here to raise a ticket and advise our team of this along with a suitable time that they may apply and reboot your server. Applying the patch will require approximately 15 minutes of downtime. If the patch is not yet available (at the time of writing, a patch for the Linux CentOS v6 OS is yet to be released) we will apply at the time you specify on the date it becomes available.

Will the fix slow down my server?

There are reports that applying the Meltdown patch may slow down a device by up to 30%. This has been noted mostly in applications that do a lot of reading and writing to disk. Or send a lot of data over a network. This occurs because the patch separates the application and kernel memory required by the various operating systems in order to prevent the flaw being used to access protected data. If you host a read or write intensive application on your server, it is worth considering this impact on performance and making a judgement before applying the patch. However if the device hosts sensitive data, we highly recommend that the patch is applied regardless.

What can I do about my other devices?

For devices that we don't manage for you, the best thing you can do to protect them from security flaws and vulnerabilities like this is to ensure that they have the latest security patches applied at all times. The most efficient way of ensuring this is to enable the “Auto-Update” feature of your device. This way the latest security patches are usually applied automatically as and when they become available.

For further updates...

As Meltdown and Spectre and very recent announcements, the news on them is sure to change over the coming days and weeks as more is learnt about them and as more software providers work to roll out further patches. We will continue to report on new developments as they become available. We will also take immediate action where necessary to ensure that our IT environment remains secure, in order that our customers, who depend on the resilience of our infrastructure for continuous service, also remain secure. To keep up to date on latest developments, please ensure that you follow our Blog at https://www.storminternet.co.uk/blog and our various Social Media feeds.

If you require any further information on this subject, or if we are able to assist you in any way please do not hesitate to get in touch.

Kind regards,

 

Storm Internet Support Team

a: 1 Canal View, Wharf Farm, Eynsham Road, Witney, Oxfordshire. OX29 4DB
t: 0800 817 4727
w: http://www.storminternet.co.uk
Storm Internet Ltd

2017 ISPA Winner - Best Cloud Product & Best Host awards
2016 ISPA Winner - Best Cloud Product Award
2015 ISPA Winner - Best Business Use of Cloud Award
2014 ISPA Winner - Best Dedicated Hosting Award