• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
      • SSL/TLS certificates
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • UPDATE: Spectre and Meltdown: vulnerabilities affecting all personal computers, mobile devices, cloud servers and providers.

Update: Spectre and Meltdown vulnerabilities

Thursday, January 04, 2018

Vulnerabilities affecting all personal computers, mobile devices, cloud servers and providers

UPDATE 2/8/2018

Please see the updated UISO recommendations section. Apple has released updates to address the Meltdown vulnerability and a link to Apple's security update page has been added.

UPDATE 1/5/2018

A complete mitigation strategy for Spectre is still in progress. However companies have released patches to reduce the likelihood of exploitation through a web browser. Below is a list of some widely used browsers and information regarding patches. If your browser isn't listed, please check with the vendor for guidance.

  • Mozilla released Firefox version 57.0.4, which mitigates Spectre.
  • Google will release updates for Chrome 64 on Jan. 23 that mitigate Spectre. In the meantime, site isolation can be used.
  • Microsoft released updates for Microsoft Edge and Internet Explorer to mitigate Spectre.
  • Apple stated that they will release updates for Safari on macOS and iOS soon.

Background

On Jan. 3, details were released about two major vulnerabilities called "Spectre" and "Meltdown". These are part of a new class of vulnerability that exists at the level of a computer processor's architecture, as opposed to existing in software or in the physical central processing unit itself. This class of vulnerability can impact an extremely wide variety of devices and is difficult to detect on a system.

Impact

Any data processed on a computer could be compromised. This includes passwords, any documents that contain sensitive or personal data, personal photos, emails, etc. Also, cloud providers that use Intel CPUs and Xen PV, Docker, LXC, and OpenVZ for virtualization are vulnerable. Both Meltdown and Spectre can be exploited through Javascript (securing your web browser is recommended). Please see the meltdown website linked below for information about the official security advisories of involved/affected companies (Intel, Microsoft, Ubuntu, etc.) As of Jan. 1, work is still being done to develop mitigation strategy for Spectre.

Platforms affected

Any untested device should be considered vulnerable. This includes:

  • Versions of macOS and iOS. Please see Apple's security updates for systems running macOS or iOS
  • Windows versions 7,8 and 10
  • Linux
  • Android

This list only represents widely used platforms. Because this vulnerability has a wide impact, if your platform or software isn't listed in this bulletin, please check with the vendor for guidance.

Local observations

The UISO has not detected active exploitation at IU at this time.

UISO recommendations

  • Regarding Meltdown: The UISO recommends that relevant vendor patches are applied. It has been reported that the fix will reduce the performance of Intel chips by between 5 and 30 percent.
    • Apply Apple's security updates for systems running macOS or iOS.
    • Apply Microsoft's security update for Windows systems.
    • Apply the patch for Linux systems.
  • Regarding Spectre: since work is still being done to develop mitigation strategy for Spectre, please monitor relevant vendor email lists and pages for any updates.

Workarounds

If operating system patches cannot be applied, vendor-issued patches to browsers  should be installed. Please note that patching browsers only mitigates exploitation from one possible vector, and would do nothing against other possible vectors and exploit chains.

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Open to All | Privacy Notice | Copyright © 2025 The Trustees of Indiana University