Meltdown_Spectre_Shutterstock_SM

What you need to know about Meltdown and Spectre

With news ranging from accusations of insider trading to an Intel chip bug impacting billions of devices, you’ve probably heard about Meltdown and Spectre over the past week.

Meltdown and Spectre are names given to two different security bugs found in June of 2017 by Google. These bugs are far-reaching and impact a wide-range of computers, mobile devices and servers across many operating systems, such as iOS, MacOS, Android, Blackberry, Linux, and Microsoft.

Google has been working with various companies, including Apple, Microsoft, and Intel, to quietly release updates to fix the bugs, but the news leaked early. They planned an announcement for January 9 but it was released to the public earlier than expected on January 3.

Here’s what you need to know:

Meltdown

Meltdown is hardware vulnerability that impacts almost every Intel processor built within the past 20 years (Intel says since 1995). If exploited, it could allow an attacker to gain access to and read the computer’s memory without needing special permission. This means that if you accidentally download malware or click on a bad link, cyber criminals could steal sensitive information (e.g., passwords) from your computer’s memory without needing administrative privileges.

It’s worth noting that Meltdown has only been proven in the lab. So far there is no evidence anyone has actually used it…yet. Now that the news is out, experts expect it’s only a matter of time before criminals find a way to exploit these weaknesses.

Spectre

Spectre is a related, but different attack impacting almost all processors including Intel, Qualcomm, AMD, and ARM.  Spectre, if exploited—and there have been two known attack strategies so far—allows an attacker to read memory from the current process, not all memory on a computer like Meltdown.

While that may seem less scary, it’s not. Spectre works by tricking processors into executing instructions they should not have been able to. This means that just visiting a bad website could lead to someone stealing your passwords or session information.

What you do at home

Updates are still coming out and will be for months, but we’ve gathered the advice hitting the press so far (including PCWorld, Business Insider, CNN, How To Geek, TechRadar, and ZDNet) into one spot.

Here are five steps you can take to help combat these Meltdown and Spectre:

  1. Update your operating system. Every source is saying this is the number one thing you can do—including Microsoft—but you may have to wait a day or two. The original Microsoft patch didn’t work quite right in all cases, so they’re now reworking the update. When it is available again, download it and be sure to check for future updates in the coming days, weeks and months.*Best practice tip: Backup your files before you download. Whether it’s your computer or your cell phone’s operating system, experts say to it’s a wise move. How To Geek has some advice on how to do that in Windows, if you need a little assistance.
  1. Check your antivirus. ZDNet reports some antivirus software is blocking the Microsoft security patch. The issue has been that software companies need to set the proper registration key so their products work with the update. Microsoft says, “If you have not been offered the [Windows] security update, you may be running incompatible antivirus software and you should consult with the vendor.”
  1. Download for firmware updates from your device’s manufacturer. If you’re not familiar, firmware is software that’s embedded in a piece of computer hardware—and every source mentioned above says that’s going to need updating too. This may take months for manufacturers to develop, test, and release, but directions and downloads should be available on each manufacturer’s support page (i.e. Apple, HP, Dell, Lenovo, etc.)
  1. Patch your browser. Microsoft Edge or Internet Explorer security patches will be included in the Windows update. However, if you use a different browser, check to make sure you’re running the latest and greatest. Firefox has released version 57.0.4 and Chrome’s update is reportedly coming on January 23—in the meantime you could, according to Mashable, enable “Strict site isolation” using these instructions.*Best practices tip: Now would be a great time to make sure you’re running auto browser updates.

One more thing before you go: Whatever actions you take today, there’s probably more to come. These bugs are so deeply set into the core of today’s computer systems, running updates and patches need to be part of your routine home security strategy moving forward.

Want  to know more?  Here is some further reading in addition to the links included above:

 

Written by B. Murray with Missy Kellor

 

 

About TDS Security Team

The latest news and advice from the TDS Security Team.

,

No comments yet.

Leave a Comment