Two microarchitecture vulnerabilities were disclosed to the public recently: Meltdown and Spectre. These vulnerabilities affect processors present in most modern computing devices, including personal computers, servers, cloud infrastructure, and mobile devices like phones and tablets. Your operating systems and software should be updated immediately to protect against exploitation. SimpleLegal and other platform providers are also working to mitigate the risks posed by these vulnerabilities.
What are Meltdown and Spectre?
Two CPU microarchitecture vulnerabilities were discovered by Google’s Project Zero team and independently by other researchers: Meltdown and Spectre.
The Meltdown vulnerability, CVE-2017-5754, can potentially allow hackers to bypass the hardware barrier between applications and kernel or host memory. A malicious application could therefore access the memory of other software, as well as the operating system. Any system running on an Intel processor manufactured since 1995 (except Intel Itanium and Intel Atom before 2013) is affected.
The Spectre vulnerability has two variants: CVE-2017-5753 and CVE-2017-5715. These vulnerabilities break isolation between separate applications. An attacker could potentially gain access to data that an application would usually keep safe and inaccessible in memory. Spectre affects all computing devices with modern processors manufactured by Intel or AMD, or designed by ARM*.
*ARM processors are the dominant computing platform for the vast majority of mobile devices, including phones and tablets from Apple, Google, Samsung, HTC, etc.
Am I Affected?
Yes. The vulnerabilities are present on all devices with affected CPUs, including desktops, laptops, servers, cloud infrastructure, and mobile devices. However, operating system and software patches mitigate the risks posed by Meltdown and Spectre.
What is SimpleLegal Doing to Protect Me?
Your security is of utmost importance to us at SimpleLegal. Our engineering and security teams have made architectural and design decisions that significantly elevate and improve the security posture for all of our customers when faced with vulnerabilities, including Meltdown and Spectre. We are closely monitoring this situation and working with our best-in-class vendors to ensure that all of our systems are patched and these vulnerabilities are mitigated as quickly as possible. As patches become available, they are applied immediately.
One of SimpleLegal’s service providers is Amazon Web Services (AWS). The AWS infrastructure was protected in advance of the Meltdown and Spectre disclosure, thereby immunizing a significant portion of SimpleLegal’s infrastructure in advance as well. At this time, all infrastructure that AWS provides to SimpleLegal has been patched to mitigate potential risk from these vulnerabilities.
In addition, SimpleLegal has taken steps to ensure that, internally, we are up-to-date on all mitigation patches with regard to workstations as well as all devices used by personnel. To take similar precautions with your own computers, servers, and devices, please see the next section to learn what you can do to reduce your risk.
If you have any questions or encounter issues, please contact us at: firstname.lastname@example.org
What Should I Do?
SimpleLegal is currently working with vendors to mitigate the risks posed by Meltdown and Spectre with regard to the SimpleLegal cloud platforms.
However, you must also take the necessary steps to protect your personal computers, servers, and other devices. This is a great opportunity to do a quick “Check for Updates” on all of your devices and applications and install anything that’s available.
Install all vendor-supplied operating system updates, such as:
- macOS 10.13.2, iOS 11.2, tvOS 11.2
- Microsoft Update KB4056890
- Android Security Bulletin January 2018
Update browser software, such as:
- Mozilla Firefox version 57.0.4 or higher
- Microsoft Edge is patched in Microsoft Update KB4056890
- Safari version 11.0.2
- Google Chrome version 64 should be installed immediately when available on January 23; in the interim, enable site isolation manually as described here now
Please contact email@example.com for any other questions and we are happy to help.