Spectre and Meltdown
-A Spectre Is Haunting Our Processors...
-January 11, 2018
-Autonomic have now completed the process of applying patches to to all -of our servers in response to the so called Spectre and Meltdown -vulnerabilities. Our upstream providers have also confirmed that they have -patched their infrastructure. We will monitor the situation as it develops.
- -We are currently super busy with clients so we decided to repost the -excellent security bulletin from our friends over at Rise Up -which goes into detail oh how to update various operating systems. All credit -to them for the rest of this blog post.
- -The Facts
- -As you have probably read, there are three related security problems in -contemporary CPUs. These vulnerabilities open the potential for a -nefarious program to steal passwords, secrets, and personal information -from you computer, even if the program is just Javascript loaded from a -web site you visit. These vulnerabilities are as serious as they sound, -and you should take action to upgrade your software.
- --
-
-
-
The first flaw, called “Meltdown,” affects nearly all Intel CPUs and -has been fixed with updates to most operating systems.
-
- -
-
The two other flaws, called “Spectre,” apply to nearly all CPUs built -in the last 20 years, not just Intel, although they are more difficult -to exploit. There are no permanent fixes for Spectre available at this -time, although if you update your software you will make these attacks -much less likely.
-
-
You should take both these steps now, for all your devices:
- --
-
-
-
Upgrade your web browser (see below). These fixes make the new -attacks against CPUs more much difficult.
-
- -
-
Upgrade your operating system. There are updates available for -Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for -Intel CPUs and provide some mitigations for Spectre. Additionally, new -releases of iOS and Android have mitigations for Spectre.
-
-
Better fixes will continue to arrive in the next weeks/months for your -operating system and software. Please keep your system up to date!
- -Browsers
-By updating your browser, you can make it significantly harder for an -attacker to steal secrets off your computer using Javascript loaded from -a web site you visit.
- -Firefox version 57.0.4 and later includes mitigation measures -against Spectre attack.
- -Edge has been updated to include Spectre migitations. When you apply the -latest Windows update, you will get the new version of Edge.
- -Safari will be updated very soon, according to Apple. Check the App -Store updates.
- -Chrome will include Spectre mitigations starting with version 64, to be -released Jan 23. In the mean time, you can change your configuration to -greatly mitigate against the Spectre vulnerability by enabling - “site isolation.”
- -Additionally, please see Rise Up’s better browsing guide for -instructions on best practices for securing your web experience (which -will also help mitigate against these new attacks).
- -Windows
-For Windows 10, you must first upgrade any anti-virus software before -upgrading Windows. Failure to do so may make your computer stop working.
- -To upgrade Windows 10:
- -Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.
-
Now is a good time to enable automatic updates:
- -Select the "Start" button, then select "Settings" > "Update & security" > "Windows Update" > "Advanced options"
-and then under "Choose how updates are installed", select "Automatic (recommended)".
-
If you are running Windows 7 or 8, an update is also available.
- -macOS
-If you already have macOS version 10.13.2 then you are protected against Meltdown. -Otherwise, to upgrade macOS:
- -Open the App Store app on your Mac. Click "Updates" in the App Store toolbar, then use the "Update" buttons
-to download and install any updates listed.
-
Now is a good time to check enable automatic updates:
- -Select the Apple menu, then select "System Preferences" > "App Store" > "Automatically check for updates".
-
Apple plans to soon release an update to Safari browser to provide some -mitigation against Spectre.
- -iOS
-Apple has said that iOS is affected by Spectre, and an update to -mitigate against most of the new attacks has been released. If you have -iOS version 11.2 or later, then you are good.
- -To check for new updates, go to Settings > General > Software Update.
Android
-The bad news is that Android is vulnerable to Spectre and unless you -have a Google-branded phone or run a custom firmware you might not get -an update for months, if ever. However, the consensus among security -researchers at the moment is that the Spectre attack is difficult enough -that there are probably easier ways to compromise an Android device. -Yeah?
- -There is one thing you can do now to make your Android device more safe -against these new CPU attacks:
- --
-
- Turn on “site isolation” in Chrome -
- Upgrade Chrome Browser after Jan 23. -
- Alternately, use Firefox for Android. -
Debian/Ubuntu GNU/Linux
-Run “Software Center” or “Software Updater.”
- -Alternately, open a terminal and type:
- -sudo apt update
-sudo apt upgrade
-sudo reboot
-
Fedora GNU/Linux
-Open a terminal and type:
- -sudo dnf --refresh update kernel
-sudo reboot
-