Cybersecurity Update

Recently, in the ATLIS Slack Channel on #security, Shandor Simon, Director of Technology  at the Latin School of Chicago (IL), shared a collaborative document for tracking the cybersecurity information of concern to Independent Schools for January. In this post, we share his document and a link for updating -- and we encourage our community to crowdsource the information critical to keeping our information safe. We also want our community to know that ATLIS will offer its Cybersecurity Workshop for Independent Schools as an introductory bootcamp at our annual conference and as a two-day workshop this summer in Fort Worth, Texas, on July 19-20. Learn more about this essential, one-of-a-kind workshop for independent schools here.  -- SD

(10-minute read)

Recent news about critical vulnerabilities is causing tremendous discussion among independent school technology leaders. Two bugs, “Meltdown” and “Spectre” have been found in modern processors that “leak” passwords, cryptographic keys, and other sensitive data. These bugs are particularly alarming because they impact almost all modern computers. The “Spectre” bug is known to exist on Intel, AMD, and ARM processors, while the “Meltdown” bug has only been verified on Intel processors. A good overview of these flaws is https://meltdownattack.com.

The following is from a collaborative document  providing the current information for various platforms for these flaws:

  CVE-2017-5753 CVE-2017-5715 (Spectre) CVE-2017-5754 (Meltdown)
Windows “Microsoft has issued an out-of-band patch update for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018” [source]
OS X / iOS

“Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.” [source]

Apple has released fixes for El Capitan (10.11), Sierra (10.12) and High Sierra (10.13) for the Meltdown flaw. Apple has revised this document to no longer include 10.11 and 10.12 :-(

[source]

Android

Updates are handled via device manufacturers and sometimes carrier partners. Google branded devices (Nexus and Pixels) have updates. I’m not aware of updates from any other manufacturers.

“Devices with the latest security update are protected. Furthermore, we are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices.

Supported Nexus and Pixel devices with the latest security update are protected.

Further information is available here.” [source]

Linux “Linux kernel developers have also released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space.” [source]
VMware ESXi

“VMSA-2018-0002 -VMware Security & Compliance Blog -VMware Blogs: https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html

VMware Security Advisory –VMSA-2018-0002: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Quick Summary –we already had previously released the respective patches.As I understand it, VMware was under embargo and could not divulge information until next week.However, media broadcasts forced the lift of the embargo.I learned that we released the patches for ESXi, Workstation and Fusion earlier (Sep –Dec, depending on the vSphere product and version) last night.”

[source: e-mail from VMware sales team / MacAdmin Slack]

Other

Google Product Status (includes cloud offerings)

iMore has a good overview for iOS/OS X users

https://meltdownattack.com is a good overview

       

 

Share this post:

Comments on " Cybersecurity Update"

Comments 0-5 of 0

Please login to comment