SECURITY ALERT: Meltdown And Spectre


Categories: Cybersecurity, Security Alert,

PLEASE NOTE: The following information details two inherent security vulnerabilities affecting all computers and computing devices. Windows, Linux, iOS, MacOS, tvOS, Android and nearly all operating systems are vulnerable. The flaw also impacts big-name cloud computing services including, but not limited to, Amazon EC2, Microsoft Azure, and Google Compute Engine. If your systems have not been patched, please contact us immediately to resolve the issue.

In mid-2017, two security vulnerabilities that impact almost all modern computers, smartphones, tablets and even smart TVs were discovered by Google security researchers. These vulnerabilities, now known as Spectre and Meltdown, were kept under wraps by Intel and other vendors in an effort to prevent attackers from exploiting them. The issue was intended to be disclosed on January 9th, 2018, when secure software and firmware updates would be available to protect computer users. Windows, Linux, iOS, MacOS, tvOS, Android and nearly all operating systems are vulnerable. The flaw also impacts big-name cloud computing services including Amazon EC2, Microsoft Azure, and Google Compute Engine. Yes, even the computer or mobile device you’re reading this article from.


The Meltdown Vulnerability
Meltdown has been called “probably one of the worst CPU bugs ever found”, by Daniel Gruss, one of the researchers who discovered the flaw. Meltdown enables a malicious program to read the computer or mobile device's protected memory, which includes crucial data like passwords, photos, and other encrypted information. Meltdown is believed to impact only Intel processors which, unfortunately, form the foundation of all PCs. The vulnerabilities are present on nearly all processors produced from 1995 onward. Software and firmware patches have been made available to prevent this exploit.


The Spectre Vulnerability

Unfortunately, Spectre is far more widespread and impacts every single known device. AMD, Intel and those based on ARM architecture (all smartphones, wearables, etc. are on this list) processors are all affected. Spectre is harder to exploit compared to Meltdown, but that also means the problem is harder to fix. It's a far more serious problem that will most likely require a complete redesign of processors in future hardware generations.

It's not known whether hackers have already begun exploiting Meltdown or Spectre and detecting such intrusions would be very difficult. That said, now that the vulnerabilities are known, hackers will begin to develop code they can use to launch attacks on unpatched computers and devices. With potentially tens of millions of unprotected devices open to exploitation, malicious code for the Meltdown and Spectre vulnerabilities will undoubtedly be added to hacker's standard toolkits for years to come.


How Can I Protect My Device Or Computer?
If your computer runs an unpatched operating system, it is not safe to work with sensitive information without the risk of leaking your data. This is the case with both your personal computer and cloud infrastructure. Unfortunately these are serious flaws and the fixes are not easy one-and-done deals. Meltdown and Spectre are two very different CPU flaws that touch every part of your operating system, from hardware to software to the operating system itself.

To protect yourself, update everything. The entire computer industry is buckling down to patch in protections against Meltdown and Spectre. As patches become available, update your operating system, CPU firmware (if available), and web browser immediately. Anti-virus programs must also be updated. While anti-virus programs can’t protect you from the Meltdown and Spectre vulnerabilities themselves, they prevent hackers from entering your system to take advantage of those vulnerabilities. Avast, Avira, and BitDefender have already pushed updates to their customers.



What Patches Are Currently Available?

As of January 3rd, Windows 10 has automatically pushed updates (which included patches for Edge and Internet Explorer) but updates for Windows 7 and Windows 8 users will not be available until January 9th. Those using Chrome and Firefox web browsers must update to the most recent versions to ensure they are protected. Those new versions should be available at the end of January.

Although Apple has yet to actually publicly acknowledge the vulnerability, they have quickly released mitigations for iOS 11.2, 10.13.2, and tvOS 11.2 to help defend against Meltdown. Additional updates for Safari, macOS, and iOS have been announced but do not currently have delivery dates.

So far, industry testing supports Intel's position that the new security updates are not slowing computers down for the average computer user. The impact of these updates is highly workload-dependent and should not be significant for most. Those who have experienced 5-30% drops in performance after the updates should see those issues mitigated over time. It's an unfortunate reality for the small percentage of users seriously affected by slowdowns but security is far more important than performance. A slower PC is a far better alternative to one that is vulnerable to hackers.

About the Author: Shenandoah Valley IT

Bio test