Authentic8 Blog Author: Kevin Lund

Kevin is Chief Technology Officer at Authentic8.

Update on Meltdown and Spectre Exploits

Three months ago, the industry was on high alert due to the publication of two new security exploits: Meltdown and Spectre see my prior post on this topic.

Since then, Authentic8 has aggressively updated its software at both the system and application level, from kernel to browser (and every patch in between). We have been actively monitoring our systems for security issues, as we always have and will continue to do.

These attacks did not represent a qualitative change in the security landscape but were a reminder that threats are always present. Some are known; most are probably not.

The Meltdown and Spectre threat reminds us that monitoring and rapid response are vital to our security and, by extension, the security of our customers.

While we haven’t seen any in-the-wild exploits that take advantage of Meltdown and Spectre, security breaches attributed to the lack of basic IT hygiene continue unabated.

We encourage you to re-assess - continuously - your basic security

Company Statement on Meltdown and Spectre

The Meltdown and Spectre attacks have recently been publicized, revealing vulnerabilities in all systems using modern microprocessors. Authentic8 systems share these vulnerabilities.

While there have been no publicized practical in-the-wild exploits of these vulnerabilities, we are applying system patches as they become available. Patches have been released for Meltdown on some platforms, with more expected; Spectre does not appear to be patchable in software and may require physical CPU revisions.

Authentic8 uses third-party cloud virtualization platforms for a minority of our services. These services (Amazon AWS, Google Compute) have patched their underlying software against the Meltdown attack. We are preparing kernel patches for our own systems and will provide updates as they are processed through QA and deployed.

The Authentic8 architecture in many ways mitigates against these types of attacks. Our browser isolation does not rely on hypervisors, so exploits designed to access data across virtual machines do not apply to us. Sensitive customer data is kept encrypted at rest and only