Meltdown and Spectre are two recently discovered security vulnerabilities that affect all modern processors, computing devices and operating systems. By taking advantage of design flaws in processors, attackers can see sensitive data in your computer that shouldn’t normally be accessible like passwords and encryption keys.
Meltdown takes advantage of the isolation that should occur between applications and the operating system. A program shouldn’t have access to operating system memory because different keys and passwords reside there, so the operating system restricts access to this kernel memory if a program attempts to read it. The problem is that CPUs were not enforcing this check during speculative execution resulting in the potential leak of sensitive information.
The Spectre flaw takes advantage of the speculative execution process. In order to make computer processors run faster, the chip will guess what information the computer needs to perform next.
Think of it like a cooking recipe. If you are making a meal and see that you need to wash and chop vegetables, but also have to bake a turkey, you will realize the turkey baking in the oven can run in tandem with the chopping of vegetables.
A CPU does similar things to improve speed by seeing if there is work down the road that can be performed now. This is invisible to the user and all happens in the background. Spectre basically lets attackers read the secret data that the chip temporarily makes available when it tries to guess what function the computer should perform next.
To date there have been no reports of anyone using these vulnerabilities in the wild.
What is being done about it?
Computer companies like Intel, Microsoft, Apple, AMD and others have been working diligently to issue patches and mitigate the potential damage. Patching these vulnerabilities requires both software and BIOS/firmware updates.
However, these patches do not completely eliminate the risk as it will require a complete architecture redesign, which will take years to implement.
In the meantime, it is vital to apply all applicable patches in order remain as secure as possible.
What can I do?
Here are steps you can take to secure your personal machines:
- Back up your data
- Update all internet browsers
- Update your anti-virus software
- Install the recommended software patches
- Install any firmware updates
Mobile Device (smartphone, tablet, etc):
- Back up your phone
- Update your OS to the latest version
- Install any carrier-specific updates if prompted
We also strongly recommend logging out of every page that requires credentials when you are done. Please do not save passwords in your web browser.
It is imperative to always have the latest browser version installed, as this is a common infection vector for malware and exploits.
Firefox: Current version is 57.0.4 (Current version at time of writing)
- Open Firefox. Choose “Help” then “About Firefox” on next menu.
- Firefox should check and automatically update if it is out-of-date.
- Click on these links for more information about updating Firefox and security information
Chrome: Current version is 63.0.3239.132
- Open Chrome, click on the ellipses (three dots) at upper right and choose “Settings”
- In Settings, choose “Settings” in upper left and go to “About Chrome” on drop down:
- If not up-to-date, Chrome will start updating. After the update Chrome will ask to relaunch to save changes. No information should be lost if browsing at the time.
Safari: Current version is 11.0.2
- Open Safari, click About Safari
- If you see an older version, open the App Store to apply updates
Microsoft Internet Explorer and Edge: Current version is IE 11 and 41.16299.15
- Open Edge, select the ellipses (three dots) at upper right and scroll to bottom of Window that opens to see “About this app”
- Updates for Edge should be done automatically in Windows 10 and 8.1.
- Open IE, select the “gear” and choose “About Internet Explorer”
- If already running Windows 10 and 8.1, Updates should be handled automatically.
- For Windows 7 computers, a manual download for IE 11 can be found if needed.
Windows 7 Service Pack 1, Windows 8.1, and Windows 10 users need to apply both firmware and software updates
To check for updates go to Settings > Update & Security to see if there are any fixes in the queue.
Windows 7- Click Start button > All Programs > Windows Update
To apply firmware updates, please consult your manufacturer’s website.
To see what version you are running click on the Apple menu button in the upper-left hand corner of your screen and select About This Mac. If you are on a prior version open the App Store application, click on the Update tab and install all applicable updates.
iOS: iPhones and iPads
iOS 11.2 and newer include mitigations
Go to Settings > General > About and look for Version to verify what you’re running
Go to Settings > General > Software Update to download the latest version
If you have a Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, Pixel 2/XL you should have an update downloaded and available to install. Other manufactures will take longer to get updates.
More information about Spectre and Meltdown
- RedHat has produced a helpful video about these vulnerabilities, available on YouTube
- The researchers who discovered these vulnerabilities have put together a site with the latest information https://meltdownattack.com/