Spectre and Meltdown vulnerabilities

By Sean | January 8, 2018

Spectre and Meltdown

We are closely monitoring the emerging situation with the recently announced Spectre and Meltdown vulnerabilities that affect most modern computer processors. UPDATE 31 May
Regular patches are being supplied by Intel and AMD for Windows/Mac/Linux OS’s

Our hosting partner (Sitehost) is working closely with hardware manufacturers and operating system providers eg, Microsoft Windows to mitigate potential exposure to these vulnerabilities. (See this link for progress - http://www.sitehost-status.net/ )

Of these two vulnerabilities, Meltdown can be satisfactorily patched with standard operating system updates and these updates are expected to be available to test and apply within the next few days. (See linked articles below for more info)

Here at i-lign, we customarily apply security patches on a weekly basis on Sunday evenings to minimise disruption to users. During this event, we expect to be restarting i-lign during the week (we plan that restarts will be occurring outside of core business hours). We have a rollback plan in case of serious problems with the patches and we will be testing these patches in our test environment prior to deploying them to our hosted customers.

The Spectre vulnerability is significantly more complicated to mitigate against and the fixes are likely to occur over an extended period of time. The good (or slightly more reassuring) news is that Spectre vulnerabilities are reportedly much more difficult to exploit.

Final Update 20 February 2018

Following the successful updates on private cloud hypervisors, we are now in a posture of ongoing monitoring. The updates do not appear to have had any negative impact on performance, however we will continue to monitor closely for the next few months. The Meltdown and Spectre vulnerabilities are being closely studied and monitored by the industry and further remediation may be required at short notice.

Update 2 February 2018

Sitehost have informed us of a planned 30 minute outage (between 1am - 4am on Thursday, 8th Febuary) to install additional updates on the private cloud hypervisors that our i-lign platform runs on to further protect against exploits emerging from this vulnerability.

Update 29 Jan 2018

We have released the Windows Server patch after extended testing last week. The Windows server is performing normally at this stage. Microsoft and Sitehost report an up to 60% performance degradation in some situations after this patch has been applied. We will continue to closely monitor this server’s performance over the coming days to ensure performance remains efficient and stable.

Update 22 Jan 2018

Our hosting provider has released a further update on progress with patching their equipment, which is due to take place for Sitehost’s Windows servers this evening. Our single Windows server will be patched and restarted tomorrow. The balance of our servers are run on Linux architecture, with all the recommended patches already installed and running.

Update 15 Jan 2018

Over the weekend we have rolled out tested fixes to our hosted servers and our office infrastructure here in Wellington.

Sitehost published an update on Friday afternoon to advise their testing programme is progressing well with an ETA for patching their underlying architecture looking to be early to mid this week (16 or 17 Jan). Definite timing will be released by Sitehost as their plans evolve.