FileMaker, Spectre and Meltdown
I haven’t seen a lot of coverage on FileMaker, Spectre and Meltdown issues as they pertain to FileMaker server (and WordPress, for that matter), but there are some guidelines and some safe practices to follow at this time. The situation seems to be changing rapidly as more fixes are implemented and the true extent of the threat is revealed:
Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE–2017-5754, also known as Rogue Data Cache Load, in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some, but not all characteristics. The Meltdown and Spectre vulnerabilities are considered “catastrophic” by security analysts. The vulnerabilities are so severe that, initially, security researchers believed them to be false….
Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.
Meltdown affects a wide range of systems. At the time of disclosure, this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs and others), including a wide range of networking equipment. A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads, although companies responsible for software correction of the exploit are reporting minimal impact from general benchmark testing….
Further, recommended preventions include: “promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources … following secure password protocols … [using] security software to help protect against malware (advanced threat prevention software or anti-virus).”
For more up to date information, keep an eye on Wikipedia.
Servers are most vulnerable
This threat is real and will affect anyone with FileMaker servers on Mac or Windows, and cloud based servers as well (yes, even AWS). Amazon issued a notice of fixes as it relates to Linux just last week.
Computer Weekly offers a somewhat more current take from January 18th and is worth a read, covering actions taken or planned by Microsoft.
What to do?
Tim Cimbura offered up some concrete advice recently in his post, Meltdown and Spectre Security Issues: What FileMaker and WordPress Users Need to Know – LuminFire:
From a FileMaker perspective, the impact may be a slow down at the application and server level. Estimates vary that it could be from 5%-30% but early reports are that the real world effects are not noticeable (unless your server is regularly running close to full load, which is not a best practice).
Stephen Blackwell started a thread that contains some useful links and advice for FileMaker users, as well.
The Bottom Line
Update your servers and software apps and keep them updated. Increase server resources if your servers are running a heavy load. And keep an eye on the issue – don’t let it get lost in the daily shuffle. Or you may end up with a massive security problem.