Update on Meltdown and Spectre

On the 3rd January 2018, a new class of attacks against modern CPU microarchitectures was disclosed to the public. Two specific demonstrable attacks were disclosed: Meltdown and Spectre. The general impact of the exploit is that a malicious attacker who can run code on a particular computer may be able to observe memory contents outside of the memory areas it’s authorised to access. Of particular concern was the Meltdown attack in conjunction with modern virtualization schemes, that allow several workloads to share the same server to potentially observe each other’s memory contents. Additionally, it is theoretically possible that malicious JavaScript code executing inside a web-browser could access memory belonging to other tabs in the same browser session, thus allowing a malicious website to ‘steal’ cookie values, credentials, PII or similar. More information on the disclosure can be found here: https://spectreattack.com

Ometria runs on Amazon Web Services (AWS). Soon after the disclosure (4th January 2018), AWS issued an update to all running server hosts in their data centres and these patches were automatically applied by our systems. Therefore we believe our systems to be protected against this attack. We will continue to monitor this issue and will continue to automatically apply system updates as needed.

It’s important to stress that the vulnerabilities disclosed are theoretical, and the steps required to actively exploit them are hugely complex. Given the complexity of exploiting them, the short time between disclosure and security updates being applied, it is highly unlikely they were utilised in any way. Also, it’s important to note that all Software as a Service (SAAS) providers are similarly affected, as this issue affects the CPUs used in the majority of servers worldwide.

It’s also worth noting that individual computers and mobile phones may also be vulnerable, although to a lesser degree, therefore it’s worth making sure that any systems you or your team use to access sensitive information are fully up to date. Specifically you should:

  • Update your operating systems with the latest patches. Mac OS X will release a fix shortly. Windows has released an update.
  • Update your browsers. Browsers are continually releasing new features and updates. As a best practice, you should enable automatic updates on your browser.
If you’re interested in solving problems like this to help make the way retailers communicate with their customers more personalised and engaging, we are hiring! Check out our careers page.