A CPA’s Guide to Address Spectre & Meltdown
The technology world has been abuzz thus far in 2018 about two major security flaws which were recently discovered in almost every computer, smartphone, and web browser produced in the last two decades.
These vulnerabilities, referred to as “Spectre” (CVE-2017-5715 and CVE-2017-5753) and “Meltdown” (CVE-2017-5754), make it possible for a malicious script run by hackers to gain access to data such as passwords, encryption keys, and other sensitive data which is normally not accessible. The flaws have existed in computer chips which were manufactured as far back as 1995 and were discovered in 2017 by multiple security researchers.
These flaws have software publishers and hardware manufacturers working overtime to update their software for these security issues. I have implemented the fixes on a variety of computers, and the update process for your computers will likely require updates to your web browsers, your computer’s operating system, and possibly your hardware’s BIOS and other firmware.
While it is essential that you install these updates to protect the confidential information you have on your computer (including your usernames, passwords, and encryption keys), some sources also report that these patches will make changes that could slow your computer down by as much as 20% on some computers, and other sources report that the patches caused unexpected reboots on other computers.
The Spectre and Meltdown patches are plentiful and it will be some work for you and/or your IT professional to apply these updates. I have four Windows computers and two Linux computers which I use on a regular basis, and the update process has been very time consuming.
My Microsoft Surface Book was probably the easiest one to update, since Microsoft pushed out the firmware and operating system updates through Windows Update. My second laptop, a Dell Latitude E7270, required a BIOS update from the Dell website and I am in the process of updating a desktop computer and a server as I write this article.
Unfortunately, some of the BIOS updates for my Windows Server are not available from Dell at this time (and none of the Linux package managers have been updated for this problem), so I will likely not be completely patched until at least early February.
The mitigation efforts have been slowed by a series of bungled updates, including one from Microsoft which reportedly made some computers running AMD chips unable to boot, and another problem with Intel’s updates which causes some older processors to spontaneously reboot more frequently. Microsoft’s major updates to Windows for these problems were issued on January 3 and 4.
Apple’s MacOS, IoS, and tvOS have been patched in versions after iOS 11.2,2, macOS 10.13.2, and tvOS 11.2, but remember that you may not get patches for older devices which can’t run the current versions of the OS. (The Apple-speak on Meltdown and Spectre is here).
Note: For my “techie” brothers and sisters out there, operating system updates to 64-bit computers running Linux are expected to be released around the end of January, and Intel recently released new microcode data files which can be installed on Linux hosts – although I’m waiting for them to be in the “official” packages for my Linux distribution.
Since Android patches have to be approved by carriers, we’re not really sure when the patches will go out to your users. You should expect that there will not be patches available for many older Android devices. There’s an article and reference table on this topic here.
If you use hosted applications (e.g. you run your tax software over CITRIX or Remote Desktop Services (RDS)), you should confirm with your hosting provider that they have implemented the required updates to their servers. Like me, they may have not been able to get the updates needed from the publishers, and you will not be safe from these vulnerabilities until the patches are available and in place.
There are a number of additional challenges you will face as you update your Windows computers:
- If you have implemented the Windows Bitlocker hard disk encryption utility on the boot disk of your computer(s), you must enter the Bitlocker recovery key after you complete the installation of BIOS/firmware updates. The drive will typically be identified with an eight character hexadecimal code (e.g. 4FA11873). This code, which consists of eight, six digit sequences (a total of 48 numbers – something like “136444-523886-445027-342958-130900-281501-125829-330495”), is often saved as a file which starts with the words “BitLocker Recovery Key” to a user’s OneDrive account or may be appended to a user’s Azure Active Directory account.
- You should get this code BEFORE you install the BIOS update by backing it up from your computer as detailed in the linked article.
- If you lock yourself out of your computer and can’t find the BitLocker Recovery Key, Microsoft has a nice support article which lists some of the places where you might have stored this information.
- The process of patching Windows is made even more complex in that some antivirus applications will prevent the installation of the updates on your computer – more on that at ZD NET or a more technical article at Microsoft.
The US support sites for popular web browsers are as follows:
- Apple Safari
- Google Chrome
- Mozilla FireFox
- Microsoft Edge
- Microsoft Internet Explorer
- You will likely have to locate and download the proper BIOS for your computer from the manufacturer’s main support site. Support sites for the major manufacturers are as follows:
- Apple: https://support.apple.com
- Dell: https://support.dell.com, or special Meltdown/Spectre page here
- HP https://support.hp.com or special Meltdown/Spectre page here
- Lenovo https://support.lenovo.com
- Microsoft Surface devices: https://support.microsoft.com/en-us/products/surface-devices
After you’ve installed the required updates for your computer, you’ll want to check and see if the vulnerabilities have been properly patched on your computer. A small number of free utilities and scripts have been created which help you check the results of your work:
- Windows and Windows Server users can use one of the following tools:
- Inspectre from Gibson Research (you should ONLY download from grc.com)
- Windows PowerShell Script from Microsoft
- Linux users can read this article which details how you can check your OS for readiness.
- Unfortunately, we can’t find an Apple-specific tool for testing for the vulnerabilities – the best advice for our Apple friends is to get on the latest versions of Safari, MacOS, iOS, and tvOS.
This vulnerability is close to a “no win” situation for most accountants and IT professionals – it is a security vulnerability which will make no more money for your firm, and affects smartphones, computers, and tablets. The problem was announced at a busy time (year end/busy season), requires a lot of work to mitigate, and the limited fixes available at this time have some acknowledged bugs which you may want to avoid.
While I’m advising my clients to patch as soon as possible to mitigate the security threats, I think you should consult with your IT professional when you are making the decision when and how to update your firm’s computers.
As with many dilemmas in life, there’s no perfect answer as to when to update – if you update too early, you may create reliability issues for some users, while if you wait too long, you may get hacked. Please consider your risks and options carefully as you work to mitigate this significant security challenge.
For a follow-up to this guidance, read Update to Guidance for CPAs on Spectre & Meltdown.
Brian Tankersley CPA CITP is a technology consultant, educator, writer and serves as Director of Strategic Relationships for K2 Enterprises, where he works with vendors serving the industry to understand their existing and new offerings.