As people expectantly wait for what the New Year will bring in, news of Meltdown and Spectre came as a shock to many.
Recently, news broke out about two critical security flaws within computer processors. These flaws could allow hackers to steal sensitive information without users being aware of it.
The two flaws, Meltdown and Spectre are found in processors designed by Intel, AMD, and ARM. These flaws were discovered by security researchers including Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology, and academics from different universities.
The researchers disclosed the flaws to tech companies like Apple and Microsoft in 2017. They had also informed Intel and now, many are speculating if this is why Brian Krzanich, the company’s CEO, sold $24 million in company stock and options in November.
The researchers planned to reveal their findings publicly early this year.
Why were these security flaws not disclosed to the public earlier?
If researchers announced the details of what they discovered in real time, they would be giving out information to hackers at the same time that the manufacturers involved were creating a solution to the problem.
In cases like this, security researchers do a “responsible disclosure.” They contact affected companies secretly as a simple courtesy or to assist them in collaborating on a solution
What are Meltdown and Spectre bugs?
The two vulnerabilities are not exactly the same but they are related. They use a similar exploit mechanism to access computer data.
The Meltdown exploit could allow hackers to bypass what is normally a highly protected hardware barrier between applications run by users and their computer’s core memory. This barrier prevents applications from gaining access to arbitrary locations in kernel memory. When memory spaces are segregated and protected, this prevents applications from accidentally interfering with one another’s data. It also prevents malicious software from being able to see and modify data at will.
The Spectre exploit, on the other hand, allows hackers to trick applications that have previously been error-free into disclosing sensitive data.
Who is affected by these security flaws?
Chips dating back to 2011 were found to be vulnerable and testers believe processors released as far back as 1995 could be affected.
Meltdown affects Intel processors. Spectre affects most modern processors made by manufacturers that include Intel, AMD, and ARM.
What can users do to protect themselves from Meltdown and Spectre?
So far, there is no evidence that Meltdown and Spectre have been used in a cyber attack. Additionally, Intel, ARM, and AMD are working with device manufacturers to correct these flaws.
Following are some steps users can do to protect themselves from these vulnerabilities:
According to Apple, all of its computers, iPhones, and iPads are affected by both Meltdown and Spectre. However, if you have already installed the latest iOS version 11.2 on your iPhone or iPad, you are already protected from some of their vulnerabilities. You can check if you have the latest update by going to Settings > General > About > Version. Check if you are on 11.2. If not, go to Settings > General > Software Update and download the latest version.
As for Macs, a number of mitigations have already rolled out in an update for iMacs, MacBooks, MacBook Pros, and Mac Mini in December 2017. The Mac OS High Sierra 10.13.2 update included fixes for some flaws. To check if you have the latest update, tap the Apple menu button in the upper-left hand corner of your screen and select About this Mac to see if you have the latest version. If you don’t, open the App Store application, click on Update tab and proceed to update your OS.
For Apple TV, the company was also able to include fixes into its December 2017 software update for the Apple TV.tvOS 11.2. Apple TV has automatically updated its software but if your TV did not, just go to Settings > System > Software Updates > Update Software
The Apple watch is not affected by Meltdown according to Apple. It will work on mitigations in future versions of watchOS.
Apple announced that it will be releasing mitigations in Safari to help defend against Spectre.
The Nexus 5X and Nexus 6P phones should automatically download a security update and users just have to install it. The Pixel and Pixel 2 phones and their XL variants will automatically install too.
This automatic update should occur on other Android phones but there are phone manufacturers and cellular carriers that are a little slow to patch. You may want to contact your phone’s manufacturer and cellular carrier to make sure that they update as early as possible.
A new version of Google Chrome will roll out on January 23 and this will include mitigations that will protect your desktop and phone from web-based attacks. For those who can’t wait, however, Google has an experimental feature called Site Isolation that can help.
To turn on Site Isolation on Mac, Windows, Linux, Chrome OS or Android:
- Type or copy-paste chrome://flags/#enable-site-per-process into the URL field at the top of your Chrome browser and hit Enter.
- Look for Strict Site Isolation, then click Enable.
- Make sure you save anything that you are working on and click on Relaunch Now.
Google Chromebooks will be automatically protected from Meltdown and Spectre according to the company. Chromebooks with ARM chips are not affected and those that have other processors (mostly Intel), include mitigations as of Chrome OS version 63 which rolled out in mid-December.
Google says Google Home, Chromecast, WiFi, OnHub, Gmail Apps and services are not affected by these vulnerabilities.
Microsoft released a security update recently to help mitigate the vulnerabilities. It should automatically download and install in Windows 10 but it will depend on the user’s PC settings.
To check if your PC is protected, go to Settings > Update & security. If the security fix is not waiting in the update queue, click on Update history or View installed update history to see if it was already installed. The security may have one of a variety of different names, depending on when Windows 10 was last updated. If you have the Fall Creators Update installed, you should see Security Update for Windows (KB4056892).
Microsoft has also announced that it will modify both Internet Explorer and new Edge browsers.
These are simple steps that you can do to protect your devices from Meltdown and Spectre. If you have other security concerns, however, you can contact Netswitch today and our staff will gladly assist you.
The post How to Protect Your Computer from Meltdown and Spectre appeared first on Netswitch Technology Management.
This is a Security Bloggers Network syndicated blog post authored by Press Release. Read the original post at: News and Views – Netswitch Technology Management