Search This Blog

Saturday, January 6, 2018

What are the Meltdown and Spectre vulnerability and What you should do about it

Meltdown and Spectre vulnerability

Two major computer processor security bugs, dubbed Meltdown and Spectre, affect nearly every device made in the last 20 years. The ramifications of how much these bugs will impact computing is still playing out, but it could lead to compromised servers for cloud platforms and other farther-reaching effects.



The Meltdown and Spectre bugs affect a variety of CPUs, including Intel chips and ARM chips on mobile devices. The resulting attacks impact every major operating system in some way. Companies have rushed to patch the vulnerabilities, and it’s still unclear whether the patches will result in significant performance slowdowns. More broadly, security teams are likely to struggle with variants and other consequences of the bug for years to come.

What's in a name: Meltdown and Spectre

One of the reasons this latest threat is so complicated is because it's actually multiple vulnerabilities that were unveiled at the same time. They're similar in some ways, but differ in important others — a fact hinted at by their names. 

According to researchers, Meltdown "basically melts security boundaries which are normally enforced by the hardware." Spectre, meanwhile, "breaks the isolation between different applications" allowing "an attacker to trick error-free programs, which follow best practices, into leaking their secrets."

And what does that actually mean? Essentially, either of these vulnerabilities could be theoretically exploited to steal sensitive data, like passwords, off your computer. Spectre is also a threat to your smartphone, so no escape there.

So, who has patched?

Companies, if they haven't already, are rushing to release the aforementioned "mitigations" against possible attacks that could exploit Meltdown or Spectre (a helpful patch list can be found on the Computer Emergency Response Team site). Why mitigations? Well, because the patches and updates mitigate the risk — but might not remove it completely. 

Microsoft, on Jan. 3, released an update for devices running Windows 10 that was downloaded and installed automatically.

Google, for its part, issued a lengthy blog post on the same day detailing all the steps it had taken to protect users against both Spectre (Variant 1 and 2) and Meltdown (Variant 3). While a lot of that work happened behind the scenes, there are still some actions you need to take yourself. For example, you should definitely enable site isolation on Chrome.


Android devices with the most recent security updates are also protected from the above mentioned variants.

Apple was a little late to the customer-facing party, but on Jan. 4 made it clear that it is indeed paying attention. Specifically, the company said that — just like with its competitors — its products are at risk. That includes "all Mac systems and iOS devices," to be exact.

But wait, there's good news! Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting "in the coming days."

What do you need to do?

Meltdown and Spectre are the real deal, and rightly have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don't involve buying a new computer. 

Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any and all patches for your operating system and browser of choice. 

But, because more updates are coming down the pike, you're not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don't pull the classic "remind me later" bit. 

And what about Spectre? This one is a little trickier. 

"Spectre is harder to exploit than Meltdown, but it is also harder to mitigate," explain the researchers behind the discovery. "However, it is possible to prevent specific known exploits based on Spectre through software patches." 

In other words, while nothing is perfect, much of the same advice applies as with Meltdown: update, update, update. 

Which, well, has always been good advice.

No comments:

Post a Comment