There’s a good chance you’ve heard by now, but if you haven’t… this is the real deal.
Two flaws were recently found in processors dating back twenty years. A majority portion of the world’s computer processors sold for those twenty years are vulnerable to at least one of two flaws that render them susceptible to hackers.
What’s going on and what can we do to protect ourselves?
It turns out that companies like Google and Microsoft have been working behind the scenes to create patches for what the security community has named Meltdown and Spectre. It’s not solved yet, though, and you still need to take some proactive measures to make sure your data is safe.
Risk & More Risk
This issue is actually multiple vulnerabilities that were revealed simultaneously. They’re similar in some ways, but differ in important others — a fact hinted at by their names.
The ascribed terms for these looming breaches are correctly evocative of the issues they present.
According to researchers, Meltdown “basically melts security boundaries which are normally enforced by the hardware.” Spectre, meanwhile, “breaks the isolation between different applications” allowing “an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”
And what does that actually mean? Essentially, either of these vulnerabilities could be theoretically exploited to steal sensitive data, like passwords, off your computer. Spectre is also a threat to your smartphone, so no safety there.
Meltdown can be mostly mitigated with software patches, it is thought only certain possible exploitations of Spectre can be stopped this way. Spectre is going to haunt us for a long time (hence the wildly appropriate name) and either one could potentially require new CPUs for a complete fix.
What has patched thus far?
Tech companies (if they’ve not yet) are rushing to release the above “mitigations” against possible attacks that could exploit Meltdown or Spectre (a handy patch list can be found here on the Computer Emergency Response Team site).
Why mitigations? Because the patches and updates mitigate the risks, but cannot and will not remove them entirely.
On January third, Microsoft put out an update for devices running Windows 10. It was downloaded and installed automatically, but if you do not have automatic updates on, please go do so manually as soon as you read this.
While a lot of that work happened behind the scenes by these two tech giants, there are still some actions you need to take yourself.
(Something we recommend is enabling “site isolation” on Chrome, and using Chrome above other browsers.)
Android devices with the most recent security updates are protected to the best of our knowledge from the above-mentioned variants. Again, mitigation, not absolute solutions, are being offered. Anything else is impossible on the pre-existing CPUs.
On January fourth Apple said that its products are at risk. To quote: “all Mac systems and iOS devices.” Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting “in the coming days.” No confirmed date has been published yet, and no further updates have been offered by the company.
Meltdown and Spectre justifiably have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don’t involve buying a new computer.
Security researcher Matt Tait stated that, at least when it comes to Meltdown, typical computer users can mostly rest easy. First and foremost, make sure your system is up to date. Download any and all patches for your operating system and browser of choice. Because more updates are coming down the pike, you’re not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don’t pull the classic “remind me later” bit.
And Spectre? This one is quite harder. “Spectre is harder to exploit than Meltdown, but it is also harder to mitigate,” explain the discoverers of these flaws. “However, it is possible to prevent specific known exploits based on Spectre through software patches.” The same advice applies as Meltdown: UPDATE.
** Please turn on your automatic updates and stay abreadth of updates. We will keep you posted as best we can. A page specifically dedicated to answering questions and informing those with a technical background on the specifics can be found here.**