Don’t you just love it when you wake up to a massive security exploit that affects pretty much every device you own that has a processor? If you do, you’re going to love it when you find out that there are actually TWO massive security exploits that affect pretty much every device you own that has a processor.
They’re called Meltdown and Spectre, and here’s what you should know about these vulnerabilities as well as what you can do to keep yourself safe.
What is Meltdown and Spectre?
The layman explanation is that these are exploits that can allow an attacker to read sensitive information from a computer’s memory including stuff like passwords, photos, messages, among others. If you want a more detailed explanation, you can check out Google Project Zero’s findings on the exploit. In essence, the exploits have something to do with the way the processors handle “speculative execution” which is a feature in modern processors to help increase performance.
What devices are affected?
According to Google, effectively every Intel processor released since 1995 is vulnerable to Meltdown while chips from Intel, AMD and ARM (that’s the ones in your phone), are vulnerable to Spectre exploits.
If that seems like a broad stroke to you, it’s because it is. This means that probably every computer you own right now is vulnerable to these exploits, including your smartphones, regardless of the operating system you run.
Apple has come out and said that “all Mac systems and iOS devices are affected”, but they note that “there are no known exploits impacting customers at this time”. In the meantime, they encourage their users to avoid downloading questionable software, instead sticking to software that’s available in the App Store only…which is pretty much what you should be doing anyway.
Google’s found that Spectre also affects Android devices but notes that the “exploitation has been shown to be difficult and limited on the majority of Android devices”.
AMD, on the other hand, has denied that their processors are affected despite what companies like Microsoft and Intel claim. AMD says that there is a “near zero risk to AMD processors” currently. According to the chipmaker, it’s because of how the AMD architecture is different so there’s practically no risk for those on AMD chips.
Besides that, PC World writes that Google has reported that the Chrome browser is also affected by Spectre. The Verge reports that the vulnerabilities also allow attackers to use JavaScript codes running in a browser to access memory in the attacker’s process. However, Google has deployed measures to mitigate it in the latest version of Chrome, version 63. Additionally, there will be more mitigation steps in Chrome 64 but in the meantime you can also opt-in to their new Site Isolation feature that can help in mitigating Spectre attacks.
If you want to learn more, you can also read iMore and PC World‘s articles about it for more in-depth explanations.
How can I protect myself from these exploits?
As far as something you can do right now, there really isn’t much. Since this exploit is so technical and deeply rooted in the CPU, all you can do is wait for patches to come in from your product/OS manufacturers. Still, this doesn’t mean that you should just sit on your hands and pray for the best. Instead, you should be making sure your devices are up to date with the latest software patches.
Major manufacturers have already pushed updates for this vulnerability to their devices. Microsoft, for example, pushed a Windows update on the 3rd of January 2018 protecting against Meltdown. Apple has also addressed these issues with macOS High Sierra 10.13.2, iOS 11.2, and tvOS 11.
Intel, has also revealed that they’re already releasing updates (in the form firmware updates and software patches) to patch these vulnerabilities for chips released in the last 5 years. According to them, they will hit the 90% mark of patched chips next week.
Google’s latest security patch (released in December) includes fixes to the vulnerability so if you’ve had your automatic updates on, you would have received it. On our end, our Samsung devices (Note8 and A8), Mi A1 and Huawei Mate 10 Pro have already received the December 2017 security patches so if you’re on a major manufacturers handset you probably already have yours too. If you’re running an older device, things might not be so simple because it’s up to your manufacturer to patch it.
However, patching this problem isn’t without its side effects. Reportedly, Intel’s fix for this vulnerability could cause performance to dip by anywhere between 5% to 30% depending on the type of task at hand. Intel remains adamant that everyday PC users won’t see dramatic slowdowns but have remained vague on which users/workloads will.
It also helps to make sure your antiviruses are working well to mitigate malicious hackers/software from using this exploit to obtain sensitive information in this time period where patch fixes are still rolling out. Most major manufacturers have known about this exploit since June 2017 and have been working on fixes since then.
Until everyone’s all patched up, the best you can do is make sure everything’s as up to date as it can and be careful when using your devices.