Security Update: Spectre and Meltdown

My1Login's systems are protected against the newly-disclosed Spectre and Meltdown vulnerabilities.

The Spectre and Meltdown vulnerabilities collectively affect billions of computer systems around the world, from desktop PCs to smartphones. The flaws are found in microchips made by Intel and ARM, and together these companies supply almost the whole global computer market.

The Spectre vulnerability works by getting programs to perform unnecessary operations  that then leak data. Meltdown snoops on memory being used by the Kernel. Both attacks exploit "speculative execution", a process that prepares instruction results on the chip before they are required by the OS.

Full details on the vulnerabilities can be found here:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715

How does it Affect My1Login?

The Spectre and Meltdown vulnerabilities impact My1Login's Infrastructure vendors, AWS and Azure. My1Login has already worked with both of our infrastructure partners to deploy fixes for these vulnerabilities. Azure and AWS have confirmed that the patching is complete and our investigation does not show any attack on My1Login or that of our customers.

My1Login will continue to monitor these vulnerabilities and investigate whether additional mitigating steps are required.

What do I need to do?

At infrastructure level, there is no need for our customers to do anything. My1Login manages the cloud infrastructure and, as detailed above, has already taken the steps to patch both our AWS and Azure servers.

My1Login would recommend that our customers contact their OS vendors to ensure they have applied the necessary security updates for Spectre and Meltdown.