Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. Since exploiting the Meltdown or Spectre issues requires a malicious program to be installed on the impacted device, it’s important to only download software from sources you trust and to keep your operating system up to date with the latest security patches.
Background
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.
The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory, including that of the kernel, from a less-privileged user process such as a malicious app running on a device.
The Impact
If a malicious program were to be loaded onto an Appspace server, it could allow that program to access sensitive information from Appspace or other programs running on the server. An attacker could use this to gain visibility to passwords or other sensitive information. Appspace Cloud protects against any third party code execution out of the box, but it’s important that on-premises customers avoid running untrusted programs on their own servers.
How we protect you (and how to protect yourself)
How we protect our customers varies based on how our customers chose to deploy Appspace: In our managed cloud or on-premises. Additionally, users have devices that connect to Appspace to display content. We will cover the protections around each in turn:
Appspace Cloud
Our cloud platform is designed in a way that prevents any third party code from executing on the servers which means exploiting these vulnerabilities is not possible in that environment. Additionally, we have already applied all relevant operating system patches related to these vulnerabilities.
Our cloud partners have also already patched all their infrastructure related to our platform, ensuring a secure environment for our cloud platform to operate in.
Appspace On-Premises
If you run Appspace on-premises, you will need to obtain and install the latest security patches for your operating system from Microsoft. Additionally, it is a security best practice to avoid running any third party programs on the server that are not necessary for its operation.
You can find guidance from Microsoft on the vulnerability here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Client Devices
Appspace works with several supported client devices that display content from our platform. Many of these devices are purpose-built, hardened platforms that have a low attack surface. For example, Chrome OS does not allow third-party applications to be installed on the device which mitigates possible attacks right from the start. As mentioned above, since exploiting the Meltdown or Spectre issues requires a malicious program to be installed on the impacted device it’s important to only run trusted and up-to-date programs on your devices.
Finally, many of the hardware vendors of devices that run Appspace have already released patches for their devices:
- If you use a Chrome OS device, Google has already applied relevant patches in the latest Chrome OS kernel (Kernel 3.18 and 4.4)
- If you use Windows-based media player, Microsoft has released patches that you can install on the device.
- If you use a Cisco media player, Cisco is currently investigating their products and are posting updates on their Security Advisory page. Check there for updates.
- For other devices, we suggest you reach out to the specific vendor to determine if they require patches for these security issues.
What we’re doing next
Appspace will continue to monitor this and all other security issues that might impact our customers. We will continue to improve the protections that our cloud platform provides to our customers and provide our on-premises customers with best practices to operate their environments securely. For more information, please visit Appspace Trust.
At Appspace, the trust of our customers is the most important thing to us. We will continue to work tirelessly to ensure that we earn and keep it every day.
Additional Information
- Official Security Issue Site
- Microsoft Windows Server Guidance
- Microsoft Windows Client Guidance
- Google Chrome OS Status
- Cisco Security Advisory
Questions?
If you have any questions, please reach out to Appspace Support or your Customer Success Manager.
