The Sky is Falling… The real story on the “Meltdown and Spectre” flaws.
Over the past week, details have emerged on two major processor security flaws, and the industry is scrambling to issue fixes and secure machines for customers. Dubbed “Meltdown” and “Spectre,” the flaws affect nearly every device made in the past 20 years. The Meltdown flaw primarily affects Intel and ARM processors, and researchers have already released proof-of-concept code that could lead to attacks using Meltdown.
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has “not received any information to indicate that these vulnerabilities have been used to attack customers at this time.”
Protecting a Windows PC is complicated
Protecting a Windows PC is complicated right now, and there’s still a lot of unknowns. Microsoft, Google, and Mozilla are all issuing patches for their browsers as a first line of defense. Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64, which is due to be released on January 23rd.
As of yesterday, Apple released three new security updates aimed at protecting Safari and WebKit from the Spectre attack. The three updates make changes to iOS, macOS, and Safari itself, but in each case, the stated goal is protecting Safari and the underlying browser engine against attacks exploiting the recently published Spectre vulnerability.
Chrome, Edge, and Firefox users on Windows won’t really need to do much apart from accept the automatic updates to ensure they’re protected at the basic browser level.
For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party antivirus software then it’s possible you won’t see that patch yet. Security researchers are attempting to compile a list of antivirus software that’s supported, but it’s a bit of mess to say the least.
Is the Sky really falling?
Not at all! Even though this extensive vulnerability has been identified, there have not be any known attacks via this security vulnerability. Is it a problem – yes. Do we all have to live in fear of massive attacks to our PC’s and MAC’s – I think not! We should all just continue to follow our standard, everyday security protocols and keep our computer systems and antivirus protection up to date.
