Some of you have probably read about recent hardware vulnerabilities, named Spectre and Meltdown, that appear to be present in almost all modern processors. We wanted to give you an update and our position on this.
Let’s explain this quickly in lay-person terms. All modern processors use a technique called “speculative execution” to speed up tasks. That is, processors execute instructions even before they are sure those instructions need to be executed. The idea is to anticipate what the user might do and allow the processor to get ahead of the game, thereby improving user performance.
It now looks like this technique is not perfect in enforcing trust boundaries. This may allow malicious code to cross trust boundaries and read system memory that may hold sensitive information. This is the core of the Spectre issue and is common to all modern processors. The Meltdown issue is related primarily to processors from Intel and stems from a different cause, with the same consequence of allowing malicious code to cross trust boundaries.
As of January 5, the U.S. Computer Emergency Readiness Team said that while the flaws “could allow an attacker to obtain access to sensitive information,” it’s not so far aware of anyone having done so.
Zoho is aware of these vulnerabilities and their impact. Our processes already put some safeguards in place. Our production systems do not depend on isolation provided by the hardware processors for customer data protection. Zoho does not allow arbitrary third-party code to be deployed within our systems, potentially limiting the scope of any exploits. So customer data is not exposed because of this class of vulnerabilities, exploitable by third-party code.
That said, we are working with our vendors to test the initial software patches they have released and to roll these out into our development and production environments.
ArcTechnica: General article explaining the issue and what vendors are doing
Meltdown.com: Explanations and links
Google Blog Entry: Technical explanation