Meltdown and Spectre: What you need to know | Sandfield

Posted by Matt Weston - 04 January 2018

Last updated 3PM NZDT on 16 January 2018

Two major vulnerabilities have been demonstrated in CPUs which break down the boundaries between Virtual Machines and Applications.

With the code supplied by the research team, it’s possible to craft a malicious application which can read the memory of another application or virtual machine - potentially leaking secret information (like passwords, or database records).

These vulnerabilities are known as “Meltdown” and “Spectre” - or more formally CVE-2017-5754 (Meltdown) and CVE-2017-5753/CVE-2017-5715 (Spectre).

Patches are becoming available, but there have been a couple of false starts, and some vendors have reccomended rolling back patches.

Metdown and Spectre information is still evolving rapidly, and we expect more news to come.

What you need to know




Meltdown image   Spectre image

Meltdown affects the “Virtualization Host” layer - allowing virtual machines within the same physical host to read each other’s memory.

At this stage, it is known to affect Intel CPUs - AMD has specifically claimed that they are unaffected by Meltdown. So far this has not been confirmed.


Spectre occurs with the virtual (or physical) machine itself - eg a Server, Laptop, etc.  It allows applications to read each other’s memory within a running machine.

At this stage, this has been confirmed to affect Intel CPUs as far back as 2011 as well as AMD CPUs.  It’s possible that all CPU (including ARM) may be affected by Spectre.


In both vulnerabilities, the result is that it’s possible for an attacker to read information from memory that developers would have (reasonably!) assumed would be protected by the operating system, or virtualization host.

Patches are becoming available now - but at this stage the biggest risk appears to be for systems in “hosted” environments - either shared hosting, or cloud providers. This is because a number of different customers may share the same physical host layer, which broadens the possibility of an attack.


Patches are being released out of band (i.e. before Microsoft’s normal ‘Patch Tuesday’), and are being made available. We’ll keep this article updated as more patches come to light. This vulnerability was initially embargoed until January 9, however due to media interest and investigation, the information was released early to minimise speculation about the vulnerability. As such, not all patches are available yet.

The patches that have been released so far have triggered unexpected bugs in both software and drivers, and was completely incompatible with some Antivirus software.  As such, Microsoft has required that Antivirus vendors specifically flag compatibility with the Spectre patch before it is applied.  You can read more about this at Ars Technica.

Intel has released a Microcode update for their Haswell and Broadwell CPUs - but this has also caused unexpected issues, and VMWare has recommended that customers avoid installing this update, and if possible, roll back to a prior version.

At this stage, the best option appears to be to push hard with workstation patches, and approach servers more cautiously.  While there has been some incompatiblity and performance loss with workstations, the benefits of having the patches in place definitely outweighs the risk of going unprotected.  For servers, at present we've moved to a "patch cautiously" mode.  Since it's unusual for servers to run untrusted code anyway, the risk is partially mitigated.  We've opted to tighten up the restrictions on what can be run on production environments until performance impact and stability can be fully assessed.  For more details on this, see this link.

Patching Microsoft SQL Server Instances

Given the nature of workloads on SQL Servers, the potential performance impact is a serious concern - especially given that SQL Servers are typically licensed per-core; and that a significant amount of per-core performance can be lost through these patches.  Microsoft has released a guide on patching for SQL Server which specifically addresses performance impacts.  Two features in particular, Kernel Virtual Address Shadowing (or KVAS) and Indirect Branch Prediction Mitigation Hardware Support (IBC) may not be required, depending on how your SQL Server is configured.  This will have less performance impact on your server, but comes with the added risk that effectively some of the patches are effectively turned "off".  Through our assessment, we've determined that many (but not all) of our SQL instances fall in to Scenario 2 - and are in the process of evaluating the performance trade-off for enabling these features in our environments.

Hosted/Cloud Systems Patch Status

As at 3PM NZDT on January 16, 2018

Vendor Virtualisation Host Layer (Meltdown)
Google Compute Patched
Amazon Web Services (AWS) Patched
Microsoft Azure Patched

If you utilise other shared hosting services (e.g. local datacentres), you should reach out to them directly to confirm their status.

Operating System Patch Status

As at 3PM NZDT on January 16, 2018:

Matt Weston has more than 10 years experience working in the IT industry. His sweet spot is in designing and building software systems which require deep attention to detail across a broad range of disciplines and technologies. When not working, Matt can be found drifting 90’s sports cars online.


IT management you can trust

Sandfield provides a range of infrastructure support services. The expert team offers end-to-end support to efficiently maintain a range of server environments, ensuring systems adapt with the business as it grows. We understand the importance of these mission-critical systems; the reliability, availability, supportability and manageability of them has a major impact on the success of your business. The infrastructure team services include: Hosting - application delivery, disaster recovery, DBA services, security, and monitoring to name a few. Get in touch if you’d like to discuss a way of doing things to get your business ahead.


Related Articles

Case Study

Earthquakes, politics & winning anyway: PQS case study

16 July 2018

Project Quality Solutions (PQS) is a specialist property assessment company with a long and successful track record delivering a range of inspection services and quality assurance programmes....

Read more 

Case Study

"Believe, become, inspire"

20 August 2018

We have long-standing relationships with a number of carefully selected not-for-profit organisations. Like us, these charities seize opportunities and want to make a difference in...

Read more 


What’s shaping supply chain systems today?

09 October 2018

In the early 2000’s it became common for companies to describe their business as ‘Logistics’ or ‘Supply Chain Services’. Previous descriptions would have...

Read more