New Threats Target CPU Design Flaw: Meltdown and Spectre

Meltdown and Spectre
Meltdown and Spectre logos

By now you’ve probably heard about the Meltdown and Spectre vulnerabilities. They have been a major news story this past week, even being mentioned on local news. In a nutshell, a major design flaw was found in the main chip of most modern computing devices that allows malicious code to easily get access to your computer’s memory (stealing passwords and other critical data along the way).

To be clear, this impacts almost every computing device. Desktop and laptop computers of all manufacturers and their operating systems (Windows, macOS, Linux) are probably the most susceptible. However, it also impacts smartphones, tablets, printers, and, even, some PC components like video cards.

What we are doing for UF IT devices.

We are updating all machines on the network. Some software patches are already being deployed through our normal processes and maintenance windows. The software patches only make it harder to exploit the flaw. We will also need to apply a hardware patch manually on most computers.

This is going to take some time, especially since some of the patches are not even available yet.

What you need to do.

You’re going to need to patch your own personal devices. We’ve collected a lot of reference materials below to help you along.

In the meantime, while at the office and at home, you need to be extra vigilant in practicing safe computing and “Think Before You Click” techniques that are taught in UF’s monthly Cyber Self Defense Course (UF_ITT100_ILT, https://security.ufl.edu/learn-information-security/spice-training/cyber-self-defense/ (link is now invalid)). Unfortunately, the next instructor-led class is not until Feb 22nd, 1:30-4:00 but it is well worth the time.

Reference

Websites

The group responsible for discovering these design flaws, and the attacks that exploit them, created a very good website, https://meltdownattack.com/, with information, FAQ, videos, and an index of where to find patches.  The bottom of this page includes links to official security bulletins and advisories of many involved/affected companies and can be helpful in determining what patches you need.  There are also articles on most tech and news blogs and websites.  A few of the more helpful are:

Windows

Windows quickly released a security rollup for Windows the first week of January. If your system is capable it should download and apply the patches if you have Automatic Updates configured. However, prior to installation, the specific security updates that protect against Meltdown and Spectre search for incompatible antivirus products and will not apply if they are installed on your computer.

For  Windows 7, 8.1, and 10 insure that the January 2018 security rollup patch is installed. The knowledgebase articles that pertain to each version are documented below and can be used to identify the exact patch numbers for your computer:

Windows Version Release Date KB
Windows 10 – version 1709 January 3 KB4056892
Windows 10 – version 1703 January 5 KB4056891
Windows 10 – version 1607 January 3 KB4056890
Windows 8.1 January 3 KB4056898
Windows 7 SP1 January 3 KB4056897

Apple (macOS and iOS)

Apple has confirmed that their devices are affected by Meltdown and Spectre and says that if you are running any of the following you will receive both software and hardware updates that will protect against these vulnerabilities:

  • macOS 10.13.2 or later (High Sierra)
  • iOS 11.2 or later
  • tvOS 11.2 or later
  • watchOS (in fact, Apple claims that “watchOS did not require mitigation”)

Web Browsers

Updating your browser will help protect against the Spectre vulnerability. The following are known to be patched:

  • Safari 11.0.2
  • Firefox 57.0.4
  • Chrome 64 (due Jan. 23rd)
  • Microsoft Edge
  • Microsoft IE 11 – cumulative update KB4056568

Android

If you own an Android device and you’ve applied the January security updates you are in the clear. This isn’t as easy a process as one may think however since most android phones and tablets depend on the manufacturer to package security updates. In other words, if you have a Samsung device you’ll have to wait for Samsung to release an update for your specific device. You will need to consult with your device manufacturer, or sometimes your carrier, to determine when patches will be released.

Antivirus

Antivirus updates are important for two reasons. First, malware is required to exploit these vulnerabilities and properly updated antivirus can help prevent this malware from even installing.  Second, and more critically, some antivirus products are incompatible with these Windows patches for Meltdown and Spectre. Computers with incompatible antivirus software will even stop seeing security patches. A good article discussing this issue (including a list of compatible antivirus products) can be found at https://threatpost.com/anti-virus-updates-required-ahead-of-microsofts-meltdown-spectre-patches/129371/.