The tech industry is scrambling to fix (or at least mitigate) the two new vulnerabilities discovered by security researchers at the end of 2017. Meltdown and Spectre are making headlines around the world, and for good reason – the two flaws affect almost every device powered by an Intel, AMD or ARM processor made in the past 20 years.
These vulnerabilities can affect smartphones, desktops, laptops, cloud servers, and the list goes on. Keep in mind that this is not a Microsoft exclusive problem – all other operating system vendors are affected.
What are Meltdown and Spectre?
Dubbed Meltdown and Spectre, the two vulnerabilities make it possible for an attacker to exploit critical flaws in modern processors in order to gain access to the protected kernel memory. With the right skill set, a hacker could theoretically exploit them to compromise the privileged memory of a processor and run a malicious code to access extremely sensitive memory content from it. This memory content can contain passwords, keystrokes, personal data and other valuable information.
This set of vulnerabilities shows that it’s possible to bypass address space isolation – the foundation of processor integrity ever since 1980. Until now, address space isolation was regarded as a secure isolation mechanism between user applications and the operating system and between two applications.
All modern CPUs use a series of basic processes to help speed up requests. Meltdown and Spectre take advantage of the timing of various instructions to extract sensitive or personal information. While security experts determined that Spectre is harder to exploit than Meltdown, it appears that it can do considerably more damage than Meltdown.
How does it affect you?
While Meltdown bypasses the isolation between user applications and the OS, Spectre tears the isolation between two different applications. Perhaps the most worrying thing about Specter is that hackers no longer need to find a vulnerability within the program – it’s theoretically possible to trick programs that follow best practices into leaking sensitive information, even if they run a solid security shop.
If we were to be totally pessimistic about the security threat, no application can be regarded as 100% safe anymore. Although there have been no confirmed attacks that make use of Specter and Meltdown, chances are black hat hackers are already contemplating on how to get their hands on your data by exploiting these vulnerabilities.
Unfortunately, this is a chip-level security flaw that can’t be entirely fixed with a software update. Because it requires modification to the OS kernel, the only permanent fix that will eliminate the breaches completely is an architecture redesign (in other words, replacing the CPU). This has left the big players in the tech industry with little choices. Since they can’t replace the CPU of all the previously released devices, their best hope is to mitigate the risk as much as they can via security patches.
All operating system vendors have released (or are to release) security patches to tackle the flaws. However, the fix comes at a price – security patches are expected to slow down all affected devices anywhere between 5 and 30 percent due to fundamental changes on how the OS kernel handles the memory.
It’s rare that all the big players get together in an attempt to fix these flaws, but it’s also a good indicator of how serious the issue really is. Without panicking too much, it’s good practice to keep an eye on security updates and make sure you offer your device the best protection you can against these vulnerabilities. To help you in this quest, we have compiled a list of fixes against the two security flaws.
How to protect against the Meltdown and Spectre CPU security flaws
Below you’ll find a list of ways to protecting yourself against Meltdown and Specter vulnerabilities. The guide is split into a series of sub-titles with the most popular range of devices affected by these vulnerabilities. Please follow the guide appropriate to your device and make sure to revisit this link, as we’ll update the article with new fixes as they are released.
Note: Keep in mind that the steps below are largely effective against Meltdown, which is the most immediate threat to the two security flaws. Spectre is still a large unknown, but security researchers are placing it second on their list because it’s a lot more difficult to exploit than Meltdown.
How to fix Spectre and Meltdown security flaws on Windows
There are three main requirements that need to be met in order to ensure the maximum protection against the new security flaws on Windows – OS update, browser update, and firmware update. From the average Windows user’s point of view, the best thing to do right now is to ensure that you have the latest Windows 10 update and make sure you surf the web from a patched web browser.
Microsoft has already issued an emergency security patch through WU (Windows Update). However, it seems that update is not visible on some PCs due to third-party antivirus suites that are preventing kernel changes. Security experts are working on a list of supported antivirus programs, but things are fragmented, to say the least.
If you haven’t been prompted to update automatically, open a Run window (Windows key + R), type “control update” and hit Enter. In the Windows Update screen, click on Check for updates and install the new security update if prompted.
Microsoft has also provided manual download links to tackle this issue for Windows 7, Windows 8.1 and Windows 10:
Note: The links above contain multiple update packages according to various CPU architectures. Please download a patch applicable to your PC configuration.
However, protecting your Windows PC against Specter and Meltdown is a little more complicated than downloading a Microsoft security patch. The second line of defense is security patches for the web browser that you use.
- Firefox already includes a fix starting with version 57.
- Edge and Internet Explorer for Windows 10 have already received security patches aimed to guard against these vulnerabilities.
- Chrome has announced a security patch scheduled to be released on January 23rd.
Users are instructed to accept any automatic update to ensure protection at the browser level. If you don’t have the latest browser version or the update didn’t install automatically, uninstall it and download the latest version.
On a separate avenue, chip makers (Intel, AMD, and ARM) are working on firmware updates for additional hardware protection. Most likely, those will be distributed separately by OEMs firmware updates. However, the work is only beginning, so it could be a while until we see the firmware updates arriving on our devices. Since it’s up to the OEMs to release firmware updates, it’s worth a shot to check with your PC’s OEM support website for any news of a potential fix.
There’s already talk that Microsoft is pairing up with CPU makers to create a tool that will check for protection for both firmware and Windows updates. But until then, we need to manually check for ourselves.
How to fix Spectre and Meltdown security flaws on Android
Android devices are also affected by the Spectre and Meltdown vulnerabilities. Well, at least in theory. It was a Google research team that discovered the vulnerabilities and notified the chipmakers (long before the press caught wind of it). This happened 6 months before the coordinated disclosure took place, so one could speculate that this delay enabled Google to be better prepared than the competition.
Starting with January 5, Google began distributing a new security update for Android to protect against Meltdown and Specter. But given the fragmented nature of the Android realm, chances are you won’t get it as soon as you’d like. Naturally, Google-branded phones such as Nexus and Pixel had priority and got it almost instantly OTA.
If you own an Android phone from another manufacturer other than Google, you might be in for a long wait. However, given the press attention that Meltdown and Spectre are getting, they might speed up the process considerably.
But regardless of your Android manufacturer, go to Settings and see whether you have a new update pending. If not, do an online investigation an see whether your phone manufacturer is planning on releasing a fix anytime soon.
How to Fix Spectre and Meltdown security flaws on iOS
Apple has been definitely caught off guard when the two vulnerabilities we’re disclosed. While the company initially denied that any of their devices are affected by Meltdown and Spectre, they have since come to admit that the flaw affects all iPhones. Since they have an almost identical CPU architecture, iPads and iPods are equally affected by the security flaws.
While you wait for an official Apple statement, keep an eye out for any new updates for your iPhone, iPad or iPod. Go to Settings > General > Software update and install any update that is pending.
How to Fix Spectre and Meltdown security flaws on Macs
Even though Apple was initially tight-lipped about the problem, Macs are also affected by Meltdown and Spectre. As it turns out, almost all of Apple’s products (besides Apple Watches) are affected.
Until new fixes arrive, diligently apply any update from the App Store for your OS X or macOS and make sure you’re on the latest version possible.
How to Fix Spectre and Meltdown security flaws on Chrome OS
Chromebooks appear to be the devices with the strongest layer of protection against Meltdown and Spectre. Google has announced that all recent Chromebooks should be automatically protected against these new security threats. Any Chromebook running on Chrome OS version 63 (released in December) should already have the necessary security fixes.
To ensure that you’re protected, make sure you have the latest update for Chrome OS. Most users are already on version 63, but if you’re not, update immediately.
If you want to get more technical, you can type “chrome://gpu” into your Omnibar and hit Enter. Then, use Ctrl + F to search for “operating system” This will enable you to see your Kernel version. Kernel versions 3.18 and 4.4 are already patched for these security flaws.