Spectre and Meltdown
+A Spectre Is Haunting Our Processors...
+January 11, 2018
+Autonomic have now completed the process of applying patches to to all +of our servers in response to the so called Spectre and Meltdown +vulnerabilities. Our upstream providers have also confirmed that they have +patched their infrastructure. We will monitor the situation as it develops.
+ +We are currently super busy with clients so we decided to repost the +excellent security bulletin from our friends over at Rise Up +which goes into detail oh how to update various operating systems. All credit +to them for the rest of this blog post.
+ +The Facts
+ +As you have probably read, there are three related security problems in +contemporary CPUs. These vulnerabilities open the potential for a +nefarious program to steal passwords, secrets, and personal information +from you computer, even if the program is just Javascript loaded from a +web site you visit. These vulnerabilities are as serious as they sound, +and you should take action to upgrade your software.
+ +-
+
-
+
The first flaw, called “Meltdown,” affects nearly all Intel CPUs and +has been fixed with updates to most operating systems.
+
+ -
+
The two other flaws, called “Spectre,” apply to nearly all CPUs built +in the last 20 years, not just Intel, although they are more difficult +to exploit. There are no permanent fixes for Spectre available at this +time, although if you update your software you will make these attacks +much less likely.
+
+
You should take both these steps now, for all your devices:
+ +-
+
-
+
Upgrade your web browser (see below). These fixes make the new +attacks against CPUs more much difficult.
+
+ -
+
Upgrade your operating system. There are updates available for +Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for +Intel CPUs and provide some mitigations for Spectre. Additionally, new +releases of iOS and Android have mitigations for Spectre.
+
+
Better fixes will continue to arrive in the next weeks/months for your +operating system and software. Please keep your system up to date!
+ +Browsers
+By updating your browser, you can make it significantly harder for an +attacker to steal secrets off your computer using Javascript loaded from +a web site you visit.
+ +Firefox version 57.0.4 and later includes mitigation measures +against Spectre attack.
+ +Edge has been updated to include Spectre migitations. When you apply the +latest Windows update, you will get the new version of Edge.
+ +Safari will be updated very soon, according to Apple. Check the App +Store updates.
+ +Chrome will include Spectre mitigations starting with version 64, to be +released Jan 23. In the mean time, you can change your configuration to +greatly mitigate against the Spectre vulnerability by enabling + “site isolation.”
+ +Additionally, please see Rise Up’s better browsing guide for +instructions on best practices for securing your web experience (which +will also help mitigate against these new attacks).
+ +Windows
+For Windows 10, you must first upgrade any anti-virus software before +upgrading Windows. Failure to do so may make your computer stop working.
+ +To upgrade Windows 10:
+ +Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.
+
Now is a good time to enable automatic updates:
+ +Select the "Start" button, then select "Settings" > "Update & security" > "Windows Update" > "Advanced options"
+and then under "Choose how updates are installed", select "Automatic (recommended)".
+
If you are running Windows 7 or 8, an update is also available.
+ +macOS
+If you already have macOS version 10.13.2 then you are protected against Meltdown. +Otherwise, to upgrade macOS:
+ +Open the App Store app on your Mac. Click "Updates" in the App Store toolbar, then use the "Update" buttons
+to download and install any updates listed.
+
Now is a good time to check enable automatic updates:
+ +Select the Apple menu, then select "System Preferences" > "App Store" > "Automatically check for updates".
+
Apple plans to soon release an update to Safari browser to provide some +mitigation against Spectre.
+ +iOS
+Apple has said that iOS is affected by Spectre, and an update to +mitigate against most of the new attacks has been released. If you have +iOS version 11.2 or later, then you are good.
+ +To check for new updates, go to Settings > General > Software Update.
Android
+The bad news is that Android is vulnerable to Spectre and unless you +have a Google-branded phone or run a custom firmware you might not get +an update for months, if ever. However, the consensus among security +researchers at the moment is that the Spectre attack is difficult enough +that there are probably easier ways to compromise an Android device. +Yeah?
+ +There is one thing you can do now to make your Android device more safe +against these new CPU attacks:
+ +-
+
- Turn on “site isolation” in Chrome +
- Upgrade Chrome Browser after Jan 23. +
- Alternately, use Firefox for Android. +
Debian/Ubuntu GNU/Linux
+Run “Software Center” or “Software Updater.”
+ +Alternately, open a terminal and type:
+ +sudo apt update
+sudo apt upgrade
+sudo reboot
+
Fedora GNU/Linux
+Open a terminal and type:
+ +sudo dnf --refresh update kernel
+sudo reboot
+