Jan 052018
 

Much in the media this week about an industry-wide problem with all devices using Intel processors — CPU chips, and perhaps those from other manufacturers as well. A security vulnerability: Meltdown and Spectre. It’s like Dorothy, the Tin Man and the Scarecrow walking through the dark forest in the 1939 classic The Wizard of OZ and chanting “Lions and tigers and bears, oh my!”

PC World’s been covering this situation with a bunch of articles. Here’re a few links:

Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, macOS, iOS, Chromebooks, and other operating systems all need to protect against it. And worse, plugging the hole can negatively affect your PC’s performance.

Everyday home users shouldn’t panic too much though. Just apply all available updates and keep your antivirus software vigilant, as ever. If you want to dive right into the action without all the background information, we’ve also created a focused guide on how to protect your PC against Meltdown and Spectre.1

Intel said the patches for the CPU vulnerability, due next week, would bring a negligible performance hit to the average user. Claiming that the patches can make PCs “immune” from the vulnerabilities is a first, though.

Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.

We’ve been waiting to hear from Apple ever since we first heard about the far-reaching Meltdown and Spectre CPU flaws earlier this week, and the company has finally responded with some not-so-good news: All Mac and iOS devices are affected. That’s right, all of them. However, Apple ensures us there’s no reason to panic.

So, the bottom line is that this vulnerability is serious. Lots of manufacturers of the hardware and software that make your devices run are working on the fixes. Some patches already have been released. So, just be ready for the updates. It’ll take time for everything to settle down. The major concern is impact on performance. Ironically, the vulnerabilities were a result of long-standing techniques to improve performance. As PC World stated:

“We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.”

In summary:

  • Update your operating system
  • Check for firmware updates
  • Update your browser
  • Keep your antivirus active

 

[1] That PC World article notes that:

  • Microsoft pushed out an emergency Windows patch [Windows 10 ‘1709’ edition KB4056892 patch] late in the day on January 3.
  • Apple quietly worked Meltdown protections into macOS High Sierra 10.13.2, which released in December. [Also iOS 11.2.]
  • Intel also released a detection tool that can help you determine whether you need a firmware update.
  • The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript.
  • The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer.

UPDATE: I haven’t tried Intel’s detection tool, but today (January 17, 2018) Senior Editor Brad Chacos at PC World published an article about a 3rd-party tool which checks whether your system has been patched to protect against the flaws: “Is your PC vulnerable to Meltdown and Spectre CPU exploits? InSpectre tells you.”

Gibson Research recently released InSpectre, a wonderfully named, dead simple tool that detects if your PC is vulnerable to Meltdown and Spectre.

InSpectre is a small 122 KB program that doesn’t need a formal install and scans your computer for Meltdown and Spectre susceptibility in mere milliseconds. When it’s done, the program pops up with clear, easy-to-read information about the security status of your system.

This is the sort of software Microsoft or Intel should have released to help clarify the murky, convoluted patching situation around this devastating duo of CPU exploits.

Personally, I’ll wait for these tools to evolve further.