In this notification NetDocuments provides additional information regarding risks from the Spectre and Meltdown vulnerabilities, explains how this led to changes in NetDocuments’ ActiveX controls, and outlines a deployment schedule for the new controls
ACTION REQUIRED - All customers need to be using the updated 2018 ActiveX controls by February 12, 2018.
During the first week of January 2018, NetDocuments, along with most other businesses and users, became aware of the Spectre and Meltdown vulnerabilities. After extensive research and analysis, NetDocuments provided a detailed response to these potential vulnerabilities in a document published January 5, 2018, “NetDocuments Response to the Meltdown and Spectre Vulnerabilities.” .
Separately, but during this same period, NetDocuments announced a required update to NetDocuments ActiveX controls for Microsoft’s Internet Explorer. This update is part of NetDocuments’ regular update schedule and was not initially connected to the Spectre and Meltdown vulnerabilities.
On Tuesday, January 16th, NetDocuments received notice that Microsoft was releasing a compiler patch which offers an additional element of protection against the Spectre and Meltdown vulnerabilities. This targeted patch affects the way ActiveX controls are compiled. To make this additional protection available to its customers for their desktop computers, NetDocuments decided to delay the release of its ActiveX controls so the Microsoft update could be used when the new NetDocuments’ ActiveX controls were compiled for release.
Risk to the NetDocuments Service
As mentioned in our earlier notification, the NetDocuments Service is at minimal risk to the Spectre and Meltdown vulnerabilities. These vulnerabilities make it possible for untrusted code running in one process to access data in the operating system kernel or in another process running on the same CPU. Since the NetDocuments Service is hosted on dedicated hardware, and no untrusted code is executed on NetDocuments servers, there is virtually no opportunity for the Spectre or Meltdown vulnerabilities to be exploited in NetDocuments’ production environments.
In contrast, NetDocuments client software may be run in environments where Spectre and Meltdown vulnerabilities could be exploited. For example, outside of NetDocuments’ Production environments, client software running on a customer’s VM could be targeted by malware running on another VM on the same physical hardware. Or malware running in a browser could potentially target other software running on the same workstation, including NetDocuments client software. Fully protecting data in these environments may require a combination of firmware updates, operating system updates, and application software updates. See “Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems” for a summary from Microsoft. [ ].
Protecting Users Against the Spectre and Meltdown Vulnerabilities
The most important step NetDocuments customers should take is to promptly deploy firmware and software updates from your hardware, operating system, and browser vendors. Doing so will eliminate most attack vectors malware could use to exploit Spectre and Meltdown vulnerabilities on user computer systems.
Explanation for the Updated ActiveX Controls
It is very unlikely, but still theoretically possible, that even on a customer’s patched system an attacker could find a way to target vulnerable applications. Specifically, these applications could be vulnerable to Spectre variant 1 attacks if untrusted code is running in another vulnerable process on the same CPU. For this reason, NetDocuments has created updates to our native-code client components that protect them against these attacks. The updated clients will be available on January 22, 2018, and their version numbers are:
NeNote.exe - 220.127.116.11 (NetDocuments Janitor process)
neWebCl - 18.104.22.168 (NetDocuments document activation ActiveX control)
neCrypto 22.214.171.124 (NetDocuments cryptography ActiveX control)
ndImport - 126.96.36.199 (NetDocuments mass import utility)
Recommended Schedule for Updating the ActiveX Controls
We recommend that firms using NetDocuments deploy the updated versions of the ActiveX controls, listed above, within the next two weeks. If your firm or business uses ndImport, it should also be upgraded. On February 8 the NetDocuments service will no longer work with older versions of the ActiveX controls, so all user computers systems which use Internet Explorer to access the NetDocuments Service will be required to use the new ActiveX controls.
To reiterate: All customers need to be using the updated 2018 ActiveX controls by February 12, 2018. The additional Spectre and Meltdown protections are only available using the set of updated 2018 ActiveX controls, listed above.
Impact on Other NetDocuments Client Software
Other NetDocuments client software, such as ndOffice, ndSync, and EMS, are deployed in managed code form. These clients are protected from Spectre and Meltdown when the underlying .NET runtime environment is updated with the latest Windows security updates, so NetDocuments will not be issuing updates for these clients at this time.
One of NetDocuments’ primary commitments is securely protecting customer data. NetDocuments is implementing these new ActiveX controls to add one more element of protection for users of the NetDocuments Service. Through ongoing innovation and a continual focus on security, the NetDocuments Service provides unparalleled ease of use and industry-leading protection for managing and storing customer documents. If your firm or business has questions regarding the deployment of NetDocuments’ new ActiveX components or any other aspect of the NetDocuments Service, please contact a NetDocuments representative.
For detailed information about installing the new ActiveX control, click here.