Taskstream-Tk20 & LiveText Addresses Third-Party Security Vulnerabilities
Cyber hell broke loose when news surfaced that two computer hardware vulnerabilities known as Spectre and Meltdown were being abused to read CPU cache as a side-channel, creating security vulnerabilities in a wide range of computer processors. These issues were discovered and reported by security researchers at Google Project Zero, Graz University of Technology, and Cyberus Technology. As is the case for many other companies, Taskstream-Tk20 & LiveText’s infrastructure uses the hardware that is impacted by these vulnerabilities.
The Spectre bug has two different variants: ‘bounds check bypass’ and ‘branch target injection’ which take advantage of the branch prediction mechanism. A branch prediction is a way for the CPU to predict which information will be needed next and retrieve that proactively to improve the performance. The Spectre vulnerability can be exploited by using the branch prediction to trick user processes into executing instructions that will leak sensitive information to the processor cache. This can then be accessed by a hacker. The Spectre bug impacts processors from Intel, AMD, ARM, and Qualcomm.
The Meltdown bug has affected Intel processors since 1995, but was only discovered and reported to Intel last year. It is related to the Spectre bug, in that it uses an out-of-order execution mechanism to read sensitive data in the cache, such as passwords, emails, and web history used by other processes onthe same system.
Has Meltdown or Spectre been exploited by hackers?
No one knows for sure since both exploits leave no trace behind.
What is impacted?
Most servers, desktops, laptops, smartphones, tablets, and cloud services.
Is there a solution out there for these security vulnerabilities?
Google, Amazon, Microsoft, Apple, Linux Distributions, and Cloud Software vendors have been working with the security researchers and processor manufacturers on releasing and distributing the patches for both bugs. Most of the patches have already been released and others are en route.
Are there any side effects of applying the patches?
The patches have reportedly slowed down the processors on some of the systems by as much as 30%.
What is Taskstream-Tk20 & LiveText doing about it?
We are aware of the issues and have been monitoring systems closely. We are actively testing and patching the systems since their release. Due to the performance effects mentioned above, we are undergoing thorough testing to make sure there will be little to no impact on our customers. We anticipate any performance impact to be negligible.
When do you expect to complete patching all systems?
We expect to complete the patching by:
- January 22 for all Taskstream products
- February 28 for LiveText products
- February 28 for all Tk20 products
Is there system downtime required to patch the systems?
Yes, all systems will require a small window of downtime for this maintenance work, and customers will be notified in advance. In the meantime, we plan to continue to monitor all systems and do not expect any other impact on our users.
Where can I find more information about Meltdown and Spectre?
If you wish to learn more about these third-party vulnerabilities, please visit the Graz University of Technology webpage and Google’s Project Zero’s blog.
We will provide an update once patching is complete. As always, if you have any questions, please feel to reach us at 800-311-5656.