Recently, two important vulnerabilities were announced: Meltdown and Spectre.
This note describes Electra’s response to these problems.
Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM based microprocessors. It effectively allows a rogue process to read any physical, kernel or other process' mapped memory, regardless of whether or not it should be able to do so. This is largely a problem for shared systems (cloud-based systems). In order for this to be effective, the rogue process needs to be running on the same physical CPU as the application for which it intends to steal data.
There are two possible mitigations to this attack:
2. System Patching
With respect to isolation: Electra's primary data center is Rackspace. At Rackspace, Electra has dedicated physical hardware (a private cloud) where all of the hardware is owned by and used entirely by Electra. Electra only runs its own applications on that hardware. As a consequence, the Meltdown vulnerability does not apply to its primary data center.
Electra has a policy of keeping its systems up to date with the latest patches. Microsoft released a patch on January 3rd for Meltdown and Electra will apply these patches on its weekly update schedule.
Spectre is a hardware vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution by allowing malicious processes access to the contents of other programs' mapped memory. Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753, CVE-2017-5715, have been issued. Active research into the resolution path for Spectre is underway with some browser changes being part of the mitigation.
Nonetheless, Electra's policy of system isolation and system patching is the industry recommendation for resolving these issues. As such, the solution path described for Meltdown is the best path for Spectre resolution as well.
With respect to DR, Electra is using Amazon as its provider. On Amazon systems, the hardware is not fully isolated to only running Electra applications. Amazon is actively working to release updates to its products. Well before the Amazon changes are made available, Electra will have fully patched all of its systems with the latest Microsoft and other patches.
As a practical matter, no known exploitation has been taken of these vulnerabilities. While they exist, the largely exist in the lab.
We take the responsibility of keeping your information protected very seriously at Electra Information Systems.
We would like to assure you that with regards to the aforementioned exploits:
1. Your account is secure
2. Your account details were not exposed in the past and will remain secure.
3. You do not need to take additional action to safeguard your information.
4. There is no need to change your password.