Spectre & Meltdown CPU Vulnerabilities
Spectre and Meltdown have limited capabilities and cannot be used by themselves to compromise a computer system. Side-channel analysis is a passive means of collecting data but cannot alter memory, execute arbitrary code, or otherwise affect the target.
Local system access is required to exploit both Spectre and Meltdown. An attacker would need to gain access to the operating system either directly or by convincing an unsuspecting user to execute malicious code that is capable of evading security controls.
Security experts including SANS have concluded the systems at highest risk are multi-user multi-tenant operating systems such as hypervisor and cloud infrastructures.
- Digitally signed software
- McAfee whitelisting protection embedded into office devices
- Onboard software verification
Xerox AltaLink devices support JIT (Just in Time compilation).No known exploit exists. To further harden the devices, JIT can be disabled by applying the SW patch listed below.
- Other devices do not implement JIT- no patches required
- The Digital Front Ends that are hosted on a PC- please see below for patch information
We will continue to monitor the situation and act accordingly to protect our provisions of products to you both now and in the future.
Xerox Software Applications are not impacted. However, those that run on a PC with Windows, Linux, or Solaris operating systems, should have their PC updated, as appropriate.
- Xerox devices: We recommend ensuring appropriate security practices and controls are applied to devices and environment.
- Xerox AltaLink devices: We recommend applying software patch: SPAR release 100.00X.0180.01610 found at Xerox.com/security/Security Bulletin
- EFI Digital Front End : Please consult the following link: http://www.efi.com/support-and-downloads/kbarticle/article-details/?knowledgeArticleID=kA339000000HCDaCAO
- FreeFlow Print Server: Xerox is currently awaiting patches from our OS vendors. Once received, the patches will be tested and a security bulletin will be posted at Xerox.com/security/security bulletins
- Other Xerox Software: For Xerox Solutions that run on Windows and Linux platforms, please refer to the Operating System Vendor website to review and determine if appropriate patches are necessary.
Always consult with your IT department as appropriate.
This notice will be updated if further information becomes available. Please visit https://www.xerox.com/Security for additional updates.