You’ve undoubtedly heard about the hardware bugs that potentially impact nearly every computing device made in the last 20 years. These bugs have scary-sounding names: Spectre and Meltdown. I want to take a few minutes to explain these two issues and tell you what Granicus is doing to protect the data you entrust with us.
The first thing to keep in mind is that, although receiving a lot of media attention, these vulnerabilities are not the death of computing as we know it. Exploiting the vulnerability requires that an attacker execute code directly on the computer, something that can’t be done remotely.
First, a technical primer—and if you don’t care about the details and only want to know how you’re impacted, feel free to jump down to the next section.
There are two hardware bugs that were announced this week, and both take advantage of a CPU feature called “speculative execution,” used to increase performance by predicting what data you’re going to use. The feature basically guesses what execution path the process is going to use and executes the branch before it’s asked for. If it turns out it’s not needed, it transparently rolls back. Or at least that’s the theory.
Spectre (CVE-2017-5753 and CVE-2017-5715), also known as “bounds check bypass” and “branch target injection” are two different techniques that exploit the fact that the CPU is guessing what you want to do. In essence, the malicious process tries to intercept the memory locations before the CPU transparently rolls back the non-used memory. Meltdown (CVE-2017-5754) is a technique that allows a user process to read kernel memory.
For a good real-world analogy of the vulnerability, this thread on Twitter does a good job of explaining how the vulnerability works.
Granicus’ solutions are offered as Software as a Service (SaaS). This means you access the application remotely and have no ability to execute code on our servers. Only employees that have a business need are given access to the infrastructure, so there’s no way for a bad guy to try stealing data from memory.
While many organizations use cloud providers like Amazon AWS and Microsoft Azure to host their servers, Granicus owns and manages most of its own hardware. That means we don’t have to worry about someone outside of Granicus running code on the same physical hardware as we are.
It’s also important to note that Amazon and Microsoft both upgraded their systems to prevent Spectre and Meltdown before it was publicly announced, so workloads running on both of those cloud providers are also protected.
In some cases, Granicus software may be installed in your data center. Although we don’t manage the hardware in this situation, it follows the same concept as the Software as a Service (SaaS) description above. Nobody can use a Granicus application to run their own code, so there’s no risk of anyone stealing data from memory.
Although the overall risk is low, it’s always possible that new attack vectors will be discovered, so the Granicus security team is working closely with vendors to ensure we understand all the issues. When patches are available, we’re testing the impact on our software and will install them as soon as possible to further reduce the risk.
As always, if you have any questions, please feel free to reach out to our customer support team.