Spectre and Meltdown
A Spectre Is Haunting Our Processors...
January 11, 2018
Autonomic have now completed the process of applying patches to to all of our servers in response to the so called Spectre and Meltdown vulnerabilities. Our upstream providers have also confirmed that they have patched their infrastructure. We will monitor the situation as it develops.
We are currently super busy with clients so we decided to repost the excellent security bulletin from our friends over at Rise Up which goes into detail oh how to update various operating systems. All credit to them for the rest of this blog post.
The Facts
As you have probably read, there are three related security problems in contemporary CPUs. These vulnerabilities open the potential for a nefarious program to steal passwords, secrets, and personal information from you computer, even if the program is just Javascript loaded from a web site you visit. These vulnerabilities are as serious as they sound, and you should take action to upgrade your software.
-
The first flaw, called “Meltdown,” affects nearly all Intel CPUs and has been fixed with updates to most operating systems.
-
The two other flaws, called “Spectre,” apply to nearly all CPUs built in the last 20 years, not just Intel, although they are more difficult to exploit. There are no permanent fixes for Spectre available at this time, although if you update your software you will make these attacks much less likely.
You should take both these steps now, for all your devices:
-
Upgrade your web browser (see below). These fixes make the new attacks against CPUs more much difficult.
-
Upgrade your operating system. There are updates available for Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for Intel CPUs and provide some mitigations for Spectre. Additionally, new releases of iOS and Android have mitigations for Spectre.
Better fixes will continue to arrive in the next weeks/months for your operating system and software. Please keep your system up to date!
Browsers
By updating your browser, you can make it significantly harder for an attacker to steal secrets off your computer using Javascript loaded from a web site you visit.
Firefox version 57.0.4 and later includes mitigation measures against Spectre attack.
Edge has been updated to include Spectre migitations. When you apply the latest Windows update, you will get the new version of Edge.
Safari will be updated very soon, according to Apple. Check the App Store updates.
Chrome will include Spectre mitigations starting with version 64, to be released Jan 23. In the mean time, you can change your configuration to greatly mitigate against the Spectre vulnerability by enabling “site isolation.”
Additionally, please see Rise Up’s better browsing guide for instructions on best practices for securing your web experience (which will also help mitigate against these new attacks).
Windows
For Windows 10, you must first upgrade any anti-virus software before upgrading Windows. Failure to do so may make your computer stop working.
To upgrade Windows 10:
Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.
Now is a good time to enable automatic updates:
Select the "Start" button, then select "Settings" > "Update & security" > "Windows Update" > "Advanced options"
and then under "Choose how updates are installed", select "Automatic (recommended)".
If you are running Windows 7 or 8, an update is also available.
macOS
If you already have macOS version 10.13.2 then you are protected against Meltdown. Otherwise, to upgrade macOS:
Open the App Store app on your Mac. Click "Updates" in the App Store toolbar, then use the "Update" buttons
to download and install any updates listed.
Now is a good time to check enable automatic updates:
Select the Apple menu, then select "System Preferences" > "App Store" > "Automatically check for updates".
Apple plans to soon release an update to Safari browser to provide some mitigation against Spectre.
iOS
Apple has said that iOS is affected by Spectre, and an update to mitigate against most of the new attacks has been released. If you have iOS version 11.2 or later, then you are good.
To check for new updates, go to Settings > General > Software Update.
Android
The bad news is that Android is vulnerable to Spectre and unless you have a Google-branded phone or run a custom firmware you might not get an update for months, if ever. However, the consensus among security researchers at the moment is that the Spectre attack is difficult enough that there are probably easier ways to compromise an Android device. Yeah?
There is one thing you can do now to make your Android device more safe against these new CPU attacks:
- Turn on “site isolation” in Chrome
- Upgrade Chrome Browser after Jan 23.
- Alternately, use Firefox for Android.
Debian/Ubuntu GNU/Linux
Run “Software Center” or “Software Updater.”
Alternately, open a terminal and type:
sudo apt update
sudo apt upgrade
sudo reboot
Fedora GNU/Linux
Open a terminal and type:
sudo dnf --refresh update kernel
sudo reboot