January 4th, 2018
Note to NPC Clients: All available patches for NPC system's BIOS, Operating System and Web Browsers are being applied as they become available. As always, we are monitoring the patch status of your system and are confident our other layers of security will leave you unaffected by this security event. We will continue to monitor the situation closely, and, as usual, are constantly monitoring your system for any signs of security lapse or breach due to this event.
What's the issue?
Cybersecurity researchers discovered two critical vulnerabilities that exploit flaws within processors used in almost all computers, tablets and many phones. These two vulnerabilities are called Spectre and Meltdown, both of which could give unauthorized access to sensitive information stored in a computer's memory. Although there haven't been any reports of hackers exploiting these vulnerabilities, it is a concern because these breaches are directly in the processor of the computer, bypassing some conventional security measures.
How did this happen?
Researchers have tested Spectre on Intel, AMD and ARM processors and confirmed that almost every system is affected by Spectre including mobile devices and cloud infrastructures. Spectre exploits the processor's speculative execution function, used to speed up processes by guessing the execution path before the execution is completed. The vulnerability is that malicious code could be written to trick the processor into running a speculative execution that would give access to the memory address space where confidential data like passwords and security keys may be present.
Meltdown is a vulnerability that researchers have found in Intel processors that exploits the out-of-order execution feature of the processor to gain access to sensitive information in the memory of the system. The out-of-order execution is a feature used to increase speed, by sending program operations out-of-order to idle execution units when an execution unit is busy with another program operations. This is a security flaw because it allows different programs to easily access other digital memory used by other programs. Conceivably, a culprit could place a malicious program in memory that accesses other program information.
What should I do?
Tech companies including Intel, AMD, ARM, and Microsoft have been working together after these vulnerabilities were discovered to develop software patches as workarounds to fix the issues. Both Intel and Microsoft have issued updates to protect systems from these exploits. Intel system updates are for the majority of their processors made within the past five years, and are issued by system manufacturers and operating system providers. Microsoft issued updates are for supported versions of Windows including Windows 7 and Windows 8, while systems running Windows 10 should have been automatically updated on January 3rd. Some experts believe these updates will slowdown the performance of the processor, but Intel says for the average user it should not be significant.
Ensure you apply all BIOS, Operating System, Web Browser and Application patches as soon as they become available. Considering checking the website of your computer vendor or manufacturer of your processor for situational information and remedial action. Also, only install programs from trusted sources.
NPC will be continuing to monitor the event and will be releasing subsequent updates as more information becomes available. Again, if you are an NPC client, we are monitoring the event closely and your system security as vigilantly as always, and will ensure all remedial measures are applied to your system as soon as they are available.
Intel Newsroom - Intel responds to security research findings
For more information:
Meltdown and Spectre - Bugs in modern computers leak passwords and sensitive data
The Verge - Microsoft issues emergency Windows update for processor security bugs