Homeland Cloud security advisory: Spectre and Meltdown vulnerabilities

Homeland Cloud IaaS platform patched in real-time; system vendors confirm updates

Revera has launched a programme of preventative remediation to protect its Homeland Cloud IaaS platform from Spectre and Meltdown vulnerabilities.

The cloud provider’s technical operations teams have completed testing and rollout of currently available vendor updates (patches) to affected systems.

Vendor patches address flaws arising from features built into chips that help them run faster, which theoretically open up possibilities for dangerous attacks. For example, Spectre could exploit JavaScript code to trick a web browser into revealing user and password information.

“Patches typically take the form of an update to the hardware firmware, or a patch to a hypervisor or virtual guest operating system,” said Jason Porter, Revera Chief Information Security Officer (CISO).

He said there was no evidence indicating that any attacks or flaws exploited on the back of Spectre and Meltdown vulnerabilities.

Porter said preventative remediation was part of a broad-based security review involving multiple layers of security used to defend Revera’s Homeland Cloud platform, including internet, routers, firewalls, networks, operating systems and servers, to ensure its cloud environments remained secure.

He said patching potentially slowed some services, though in the majority of cases impacts wouldn’t be noticeable.

Porter said he expects vendors to release additional updates over the coming weeks, and recommended a range of measures for businesses and home users to keep themselves protected.

These included applying the latest software patches to computers (including home and mobile devices), web browsers, email systems, firewalls, and other security systems; conducting regular backups; and maintaining offline and offsite backup volumes wherever possible.

“Clients should also stay alert to potential phishing emails – never open attachments from an unknown source,” he said. 

Revera will notify clients as systems are updated.

For the latest developments contact your Revera client engagement manager, or email Securitymanagement@revera.co.nz 

 

date_range 19 January 2018