Spectre/Meltdown

Spectre and Meltdown are two massive security vulnerabilities found in smartphone chips. If you have any devices with a processor, you’re likely affected by these vulnerabilities. Desktops, laptops, cloud computers, smartphones and some internet of things devices are all affected.  The vulnerability makes use of a feature of modern processors, called speculative execution. Security experts do not know if the vulnerabilities have been exploited, but they have gone undetected/unreported for a long time. They are like an unlocked door, and may or may not have been used on your system. Practicing good safety habits online such as being careful what you install, blocking malware, locking your device to avoid unknown background tasks, and not opening unknown/unverified files help keep the door closed.

Usually, applications can’t access the memory of other programs. Meltdown violates this principle so that a program can steal the secrets of another program and the operating system. This means that someone could write a JavaScript program to steal the passwords from your password manager, for example. Meltdown is easier to exploit than Spectre.

Spectre breaks the isolation of different applications. An attacker can trick a program into storing information into the stored memory to be able to steal it. While it is harder to exploit Spectre, it’s also a more difficult problem to solve.

Apple Devices

Yesterday, Apple released an iOS 11.2.2 update to address the security risks found in Spectre. Patches for Meltdown were already included in iOS 11.2. If you have an iPhone or iPad, make sure that you update it. To get there, go to Settings | General | Software Update and then tap Download and install.

Apple also released a supplemental update to macOS High Sierra 10.13.2 yesterday to address the security risks found in Spectre. Meltdown was already addressed in macOS 10.13.2. To update, open the Mac App Store and check for updates.

Screen Shot 2018-01-09 at 8.56.55 PM

tvOS 11.2 already patched the Meltdown vulnerability. Apple Watch is not affected by Meltdown.

Windows Devices

Since January 3rd, Microsoft has been providing updates, although some of them have been pulled for crashing AMD systems. You need to update both your hardware and software. Go to the Microsoft web page for more information. Run the updates using the Windows Updater on your computer through Settings | Update & security and look for

Android Devices

Patches released by Google in December 2017 and January 2018 patch the two vulnerabilities. Make sure that you install the updates on your device once they are downloaded. If you want to know more about other Google devices, see more here.

Software Updates

If you use Firefox, update to 57.0.4 which includes mitigations for both vulnerabilities. Google will release a Chrome web browser update on Jan. 23 to protect your devices from web-based attacks. Look out for updates for the other browsers as well.

Hardware Updates

If you have a branded device, check for updates from the manufacturer and any news releases about the two vulnerabilities.

Next Steps

Take some time to update your devices.If your device is too old to update, I suggest being very careful with private data on the device.

Need help? Contact tech@dpresident.net. 

I’ve read a few articles on the topic and heard it discussed on TWIT and other podcasts. By far, the article that I found easiest to understand is here. Most of the information contained in this article is from that source.

Citation: “Meltdown and Spectre.” https://meltdownattack.com/. Accessed 9 Jan. 2018.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s