Spectre and Meltdown: What You Need to Know
If you’re panicking because of the news yesterday of the critical design flaws in your computer’s CPU, you can relax. Most IT professionals have been hearing about this for months now and the release on the news comes after most platforms have already created operating system patches.
Intel is releasing patches for their CPUs manufactured in the last 5 years that should be available in a few days, Apple patched their Operating System with iOS 11.2 and Mac OS 10.13.2, which have been available for some time now. Microsoft has introduced their fixes in the January 2018 patch release which you should get if your computer is set to automatically download updates, otherwise you should manually update your operating system. Apple has stated that they’re not aware of any “in-the-wild” malware actually utilizing the CPU design flaws.
So what are these vulnerabilities and how do they work?
Meltdown allows user applications to snoop on private information from other programs running in memory. Meltdown exploits a caching optimization issue where the processor reads memory in advance of an anticipated operation, but if the prediction is wrong, the data that has been proactively stored in the cache is now available to applications that request it before it’s been cleared. The issue is the speed and timing of the requests that allows the memory to be read before it’s deleted. Most Intel processors designed since 1995 are vulnerable until Intel issues a patch for their most recent processors in the next couple days.
Spectre is a side-channel software exploit that forces an application to access it’s sensitive data to be exploited using the meltdown. While Spectre forces the applications to access passwords and private information, the exploit would theoretically access the cache to steal the information. It’s important to know that software is already being updated to mitigate this attack by altering system clocks to introduce a minor delay so the Meltdown exploit used by Spectre is not possible.
Firefox and Chrome have already introduced patches to address Spectre by slowing down requests to fixing the timing issue with the CPU caching. Apple says that the next update for Safari will include a similar patch.
Our recommendations are to continue using standard security practices for avoiding malware and viruses. Do not open mail or attachments from unknown individuals, do not click suspicious links on websites and stay away from advertising links online since you cannot tell who they are really from. Even trusted websites can be the source of malware, so limit your online behavior to only what is necessary.
For the best protection use a separate computer for browsing and email that doesn’t contain your most important information. It’s not uncommon in professional environments to have a computer with internet access separate from the workstation that connects to company servers and databases. You should consider this level of isolation if you handle private health or banking information for customers.
Please contact us if you’d like help updating your computers and operating systems to be protected. Most computers will be updating themselves this month, but we’re here to help if you are concerned.