diff --git a/src/_posts/2018-01-11-spectre-and-meltdown.md b/src/_posts/2018-01-11-spectre-and-meltdown.md new file mode 100644 index 0000000..52298a1 --- /dev/null +++ b/src/_posts/2018-01-11-spectre-and-meltdown.md @@ -0,0 +1,143 @@ +--- +layout: post +title: Spectre and Meltdown +description: Our response to the Intel/ARM proccesor mess +image: pic01.jpg +category: values +date: 2018-01-11 +--- + +Autonomic have now completed the process of applying patches to to all +of our servers in response to the so called Spectre and Meltdown +vunrebilities. Our upstream providers have also confirmed that they have +patched their infrastructure also. + +We are currently super busy with clients so we decided to repost the +excellent security buliten from out friends over at Rise Up. All credit +to them for the rest of this blog post :) + +As you have probably read, there are three related security problems in +contemporary CPUs. These vulnerabilities open the potential for a +nefarious program to steal passwords, secrets, and personal information +from you computer, even if the program is just Javascript loaded from a +web site you visit. These vulnerabilities are as serious as they sound, +and you should take action to upgrade your software. + +* The first flaw, called "Meltdown," affects nearly all Intel CPUs and +has been fixed with updates to most operating systems. + +* The two other flaws, called "Spectre," apply to nearly all CPUs built +in the last 20 years, not just Intel, although they are more difficult +to exploit. There are no permanent fixes for Spectre available at this +time, although if you update your software you will make these attacks +much less likely. + +You should take *both* these steps now, for all your devices: + +1. Upgrade your web browser (see below). These fixes make the new +attacks against CPUs more much difficult. + +2. Upgrade your operating system. There are updates available for +Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for +Intel CPUs and provide some mitigations for Spectre. Additionally, new +releases of iOS and Android have mitigations for Spectre. + +Better fixes will continue to arrive in the next weeks/months for your +operating system and software. Please keep your system up to date! + +## Browsers +By updating your browser, you can make it significantly harder for an +attacker to steal secrets off your computer using Javascript loaded from +a web site you visit. + +Firefox version 57.0.4 and later includes mitigation measures [against +Spectre attack] [1]. + +Edge has been updated to include Spectre migitations. When you apply the +latest Windows update, you will get the new version of Edge. + +Safari will be updated very soon, according to Apple. Check the App +Store updates. + +Chrome will include Spectre mitigations starting with version 64, to be +released Jan 23. In the mean time, you can change your configuration to +greatly mitigate against the Spectre vulnerability by enabling "site +isolation" [https://support.google.com/chrome/answer/7623121?hl=en] + +Additionally, please see [https://riseup.net/en/better-web-browsing] for +instructions on best practices for securing your web experience (which +will also help mitigate against these new attacks). + +## Windows +For Windows 10, you must first upgrade any anti-virus software before +upgrading Windows. Failure to do so may make your computer stop working. +[2] + +To upgrade Windows 10: + +> Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates. + +Now is a good time to enable automatic updates: + +> Select the "Start" button, then select "Settings" > "Update & security" > "Windows Update" > "Advanced options" and then under "Choose how updates are installed", select "Automatic (recommended)". + +If you are running Windows 7 or 8, an update is also available. + +## macOS +If you already have macOS version 10.13.2 then you are [protected against +Meltdown] [3]. Otherwise, to upgrade macOS: + +> Open the App Store app on your Mac. Click "Updates" in the App Store toolbar, then use the "Update" buttons to download and install any updates listed. + +Now is a good time to check enable automatic updates: + +> Select the Apple menu, then select "System Preferences" > "App Store" > "Automatically check for updates". + +Apple plans to soon release an update to Safari browser to provide some +mitigation against Spectre. + +## iOS +Apple has said that iOS is affected by Spectre, and an update to +mitigate against most of the new attacks has been released. If you have +iOS version 11.2 or later, [then you are good] [3]. + +To check for new updates, go to Settings > General > Software Update. + +## Android +The bad news is that Android is vulnerable to Spectre and unless you +have a Google-branded phone or run a custom firmware you might not get +an update for months, if ever. However, the consensus among security +researchers at the moment is that the Spectre attack is difficult enough +that there are probably easier ways to compromise an Android device. +Yeah? + +There is one thing you can do now to make your Android device more safe +against these new CPU attacks: + +* Turn on "site isolation" in Chrome: +https://support.google.com/chrome/answer/7623121?hl=en +* Upgrade Chrome Browser after Jan 23. +* Alternately, use Firefox for Android. + +## Debian/Ubuntu GNU/Linux +Run "Software Center" or "Software Updater." + +Alternately, open a terminal and type: + +``` +sudo apt update +sudo apt upgrade +sudo reboot +``` + +## Fedora GNU/Linux +Open a terminal and type: + +``` +sudo dnf --refresh update kernel +sudo reboot +``` + +[1] [https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/] +[2] [http://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/] +[3] [https://support.apple.com/en-us/HT208394]