The threats from the Spectre and Meltdown security flaws (listed in the National Vulnerability Database as CVE-2017-5753 and CVE 2017-5715 for Spectre, and CVE-2017-5754 for Meltdown) have been making headlines around the world. What makes the risk of these flaws different than most others is the sheer scope of the issue, which is on a scale rarely seen. The main chip in most modern computers and phones—the CPU—has a hardware bug which creates security vulnerabilities that cybercriminals could use to steal data processed with computer memory. Nearly every computer and phone chip manufactured in the last 20 years could potentially be exploited.
The magnitude of the threat prompted us to join other major SaaS and cloud service companies in sending out information to keep the matter foremost in the minds of our current and potential customers. We recognize that sometimes our security measures can only be as good as the steps that others parties take, and many users are being affected (or will be affected) by the security measures being taken by major computer/phone manufacturers and network providers. These effects range from a perceived slowing of machine or network performance to the need to install more frequent patches and updates.
What Oildex is doing about the security threat
Protection of the security, integrity, and availability of customer data is paramount at Oildex. For over ten years we’ve achieved SSAE 16 (now SSAE 18) SOC 1 Type II compliance for our design and operational effectiveness in the exchange of billions of lines of financial transaction detail for our customers.
We continuously monitor our systems for any evidence of attempts to exploit vulnerabilities and we’re committed to investing in data safety so our customers know their information is kept safe and secure. As always, we’ll stay on top of this issue and apply all appropriate and available mitigations to our services in order to protect Oildex customers against known vulnerabilities.
What you can/should do
The main fallout from this security threat is the need for users to be increasingly vigilant and diligent about their device security. There are a number of things users should be aware of, in both active and passive ways.
Active steps you should take
- Though no known exploits have been advertised or made public, make sure that you follow your organization’s software test/update/patch guidance for your devices. Use caution… Because the situation is dynamic and ongoing, some isolated patches have proven to be unstable to date. (NOTE: A helpful list of major device and network providers and their current activity is provided below.)
- After installing the most recent update/patch, consider changing your password and security credentials for critical applications.
Other things you should do
- Be extra vigilant on phishing attacks. As major events like this occur, we often see hackers try to take advantage of the increased awareness of security threats and people’s vigilance to step up phishing attempts disguised as helpful links to patches, etc. Only trust known sources for updates and patches, which usually come from directly within a device operating system rather than an email link.
- Be patient. Though we have not seen any connectivity issues or latency on the Oildex platform, many users have experienced slower network response time due to patches from third parties such as internet providers that can affect the Oildex platform.
In the end, because this is an endemic hardware security flaw that is embedded in the devices themselves, a full solution could be years away. The only consolation in that is that you’re not alone. For now, everyone needs to be more vigilant. We certainly will be, and we’re asking you to be as well.
The threat is serious enough that most experts recommend keeping up to date with patches as they become available directly from known and trusted sources like Microsoft, Apple, Google, etc. A few links to some of these sources are provided below. These updates come directly from the attributed organization, and Oildex is not associated with their content or performance.
- Microsoft has released operating system patches for most versions of Windows, which also patch the company’s Internet Explorer and Edge browsers.
- Apple has released updated versions of its macOS, iOS, and tvOS operating systems, as well as its Safari browser.
- Google has released a list of which Chromebook models have been patched, which will be patched soon, and which are end-of-life and won’t be patched.
- Mozilla’s Firefox browser has announced a patch that will be released soon.