Spectre blog post
This commit is contained in:
georgeowell
parent
0939401b25
commit
8ad7fd5fed
@ -71,7 +71,7 @@
|
||||
<p>
|
||||
A grounded and principled understanding of the cybersecurity domain can ensure
|
||||
your organisation is not liable to any unwanted security threats. We provide
|
||||
structured training.
|
||||
structured training taliored to your threat model.
|
||||
</p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
---
|
||||
layout: post
|
||||
title: Our Founding Principles
|
||||
description: Autonomic Co-operative And Our Core Values.
|
||||
image: pic01.jpg
|
||||
description: Autonomic Co-operative And Our Core Values
|
||||
image: thinkpad.jpg
|
||||
category: values
|
||||
date: 2017-10-03
|
||||
---
|
||||
|
||||
150
src/_posts/2018-01-11-spectre-and-meltdown.md
Normal file
150
src/_posts/2018-01-11-spectre-and-meltdown.md
Normal file
@ -0,0 +1,150 @@
|
||||
---
|
||||
layout: post
|
||||
title: Spectre and Meltdown
|
||||
description: A Spectre Is Haunting Our Processors...
|
||||
image: spectre.jpg
|
||||
category: values
|
||||
date: 2018-01-11
|
||||
---
|
||||
|
||||
Autonomic have now completed the process of applying patches to to all
|
||||
of our servers in response to the so called Spectre and Meltdown
|
||||
vulnerabilities. Our upstream providers have also confirmed that they have
|
||||
patched their infrastructure. We will monitor the situation as it develops.
|
||||
|
||||
We are currently super busy with clients so we decided to repost the
|
||||
excellent security bulletin from our friends over at [Rise Up](https://riseup.net/)
|
||||
which goes into detail oh how to update various operating systems. All credit
|
||||
to them for the rest of this blog post.
|
||||
|
||||
## The Facts
|
||||
|
||||
As you have probably read, there are three related security problems in
|
||||
contemporary CPUs. These vulnerabilities open the potential for a
|
||||
nefarious program to steal passwords, secrets, and personal information
|
||||
from you computer, even if the program is just Javascript loaded from a
|
||||
web site you visit. These vulnerabilities are as serious as they sound,
|
||||
and you should take action to upgrade your software.
|
||||
|
||||
* The first flaw, called "Meltdown," affects nearly all Intel CPUs and
|
||||
has been fixed with updates to most operating systems.
|
||||
|
||||
* The two other flaws, called "Spectre," apply to nearly all CPUs built
|
||||
in the last 20 years, not just Intel, although they are more difficult
|
||||
to exploit. There are no permanent fixes for Spectre available at this
|
||||
time, although if you update your software you will make these attacks
|
||||
much less likely.
|
||||
|
||||
You should take *both* these steps now, for all your devices:
|
||||
|
||||
* Upgrade your web browser (see below). These fixes make the new
|
||||
attacks against CPUs more much difficult.
|
||||
|
||||
* Upgrade your operating system. There are updates available for
|
||||
Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for
|
||||
Intel CPUs and provide some mitigations for Spectre. Additionally, new
|
||||
releases of iOS and Android have mitigations for Spectre.
|
||||
|
||||
Better fixes will continue to arrive in the next weeks/months for your
|
||||
operating system and software. Please keep your system up to date!
|
||||
|
||||
## Browsers
|
||||
By updating your browser, you can make it significantly harder for an
|
||||
attacker to steal secrets off your computer using Javascript loaded from
|
||||
a web site you visit.
|
||||
|
||||
Firefox version 57.0.4 and later [includes mitigation measures](https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/)
|
||||
against Spectre attack.
|
||||
|
||||
Edge has been updated to include Spectre migitations. When you apply the
|
||||
latest Windows update, you will get the new version of Edge.
|
||||
|
||||
Safari will be updated very soon, according to Apple. Check the App
|
||||
Store updates.
|
||||
|
||||
Chrome will include Spectre mitigations starting with version 64, to be
|
||||
released Jan 23. In the mean time, you can change your configuration to
|
||||
greatly mitigate [against the Spectre vulnerability by enabling](https://support.google.com/chrome/answer/7623121?hl=en)
|
||||
"site isolation."
|
||||
|
||||
Additionally, please see [Rise Up's better browsing guide](https://riseup.net/en/better-web-browsing) for
|
||||
instructions on best practices for securing your web experience (which
|
||||
will also help mitigate against these new attacks).
|
||||
|
||||
## Windows
|
||||
For Windows 10, you must first upgrade any anti-virus software before
|
||||
upgrading Windows. [Failure to do so may make your computer stop working](http://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/).
|
||||
|
||||
To upgrade Windows 10:
|
||||
|
||||
```
|
||||
Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.
|
||||
```
|
||||
|
||||
Now is a good time to enable automatic updates:
|
||||
|
||||
```
|
||||
Select the "Start" button, then select "Settings" > "Update & security" > "Windows Update" > "Advanced options"
|
||||
and then under "Choose how updates are installed", select "Automatic (recommended)".
|
||||
```
|
||||
|
||||
If you are running Windows 7 or 8, an update is also available.
|
||||
|
||||
## macOS
|
||||
If you already have macOS version 10.13.2 then you are [protected against Meltdown](https://support.apple.com/en-us/HT208394).
|
||||
Otherwise, to upgrade macOS:
|
||||
|
||||
```
|
||||
Open the App Store app on your Mac. Click "Updates" in the App Store toolbar, then use the "Update" buttons
|
||||
to download and install any updates listed.
|
||||
```
|
||||
|
||||
Now is a good time to check enable automatic updates:
|
||||
|
||||
```
|
||||
Select the Apple menu, then select "System Preferences" > "App Store" > "Automatically check for updates".
|
||||
```
|
||||
|
||||
Apple plans to soon release an update to Safari browser to provide some
|
||||
mitigation against Spectre.
|
||||
|
||||
## iOS
|
||||
Apple has said that iOS is affected by Spectre, and an update to
|
||||
mitigate against most of the new attacks has been released. If you have
|
||||
iOS version 11.2 or later, [then you are good](https://support.apple.com/en-us/HT208394).
|
||||
|
||||
To check for new updates, go to `Settings > General > Software Update.`
|
||||
|
||||
## Android
|
||||
The bad news is that Android is vulnerable to Spectre and unless you
|
||||
have a Google-branded phone or run a custom firmware you might not get
|
||||
an update for months, if ever. However, the consensus among security
|
||||
researchers at the moment is that the Spectre attack is difficult enough
|
||||
that there are probably easier ways to compromise an Android device.
|
||||
Yeah?
|
||||
|
||||
There is one thing you can do now to make your Android device more safe
|
||||
against these new CPU attacks:
|
||||
|
||||
* Turn on ["site isolation" in Chrome](https://support.google.com/chrome/answer/7623121?hl=en)
|
||||
* Upgrade Chrome Browser after Jan 23.
|
||||
* Alternately, use Firefox for Android.
|
||||
|
||||
## Debian/Ubuntu GNU/Linux
|
||||
Run "Software Center" or "Software Updater."
|
||||
|
||||
Alternately, open a terminal and type:
|
||||
|
||||
```
|
||||
sudo apt update
|
||||
sudo apt upgrade
|
||||
sudo reboot
|
||||
```
|
||||
|
||||
## Fedora GNU/Linux
|
||||
Open a terminal and type:
|
||||
|
||||
```
|
||||
sudo dnf --refresh update kernel
|
||||
sudo reboot
|
||||
```
|
||||
Reference in New Issue
Block a user