Milestone Customer Support
Article number:  000003566
Article type:  Cyber Security
Article audience:  Professional
Category type:  Usage
Product:  All
Type:  Device issue
Version:  2
First published:  01/05/2018
Last modified:  08/06/2018

Meltdown and Spectre attacks

It is possible to read system memory without permission on many computers using Intel, AMD, or ARM CPUs by exploiting weaknesses in the way instructions are handled by the processors.

"Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents."
(source: "Meltdown and Spectre," published by the Graz University of Technology)

To mitigate these issues, you may need to apply operating system updates and firmware updates as they are made available.

Milestone Systems has evaluated the impact of the Intel and Microsoft updates on VMS performance.

  • Systems with CPU load below 70% can handle the updates from Microsoft and Intel.
  • Newer generations of Intel processors are less affected than old ones.
  • Hardware-accelerated motion detection can be used to reduce CPU load.
  • Microsoft offers bail-out registry setting for systems with insufficient CPU headroom.

For the Husky M20 there is a BIOS update available. Detailed instructions for the Husky M20 update can be found inside the download package:
https://www.milestonesys.com/support/resources/download-software/?prod=246&type=11&lang=27

For more information check the following whitepaper:

https://spectreattack.com

CVE:

  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)