August IV and August V here to help out with the latest round of computer bugs – Spectre and Meltdown. These CPU bugs can give the bad guys access to your computer. In this post we'll cover how these bugs can effect you, and what to do about them.
Warning: Watch for phishing emails claiming to have patches for Spectre and Meltdown. Be VERY SUSPICIOUS of Spectre/Meltdown emails and links. (They may be malware.) Instead, go to the vendor websites directly – for example, if you've got a Dell computer, go to Dell's official website.
What is Spectre?
Spectre is a group of vulnerabilities and exploits based on “speculative execution”. Speculative execution is a feature in modern CPUs that allows a processor to try to complete tasks without verifying they can be properly completed, to improve performance. Using specific combinations of commands that rely on this functionality, it's possible for a malicious program to receive an “after-image” of data from another program that was speculatively grabbed and then discarded. It's theoretically applicable to any processor that uses speculative execution – in effect, nearly all modern computer processors – but most variants are somewhat difficult to exploit.
What is Meltdown?
Meltdown is a subset of Spectre that specifically exploits a vulnerability in the way the kernel (the “core” of an operating system, that connects the hardware and software) handles memory levels, allowing a properly timed program to read data from a “ring” in memory before the kernel checks whether or not it's permitted. This bypasses the privilege system that normally prohibits this from happening. This variant can only exploit processors that use a ring-based addressing system, which includes all Intel CPUs with speculative execution (i.e. virtually everything from 1995 onward) and certain ARM mobile processors (as listed https://developer.arm.com/support/security-update).
How could Spectre and Meltdown Affect Me?
Spectre and Meltdown are two groups of CPU vulnerabilities that were found in late 2017. They were widely announced around Jan 3rd, 2018.
What do Spectre and Meltdown do? Spectre and Meltdown make your computer and other devices more easily attacked. For Spectre/Meltdown to become a risk, bad guys need to install malware or malicious BIOS on your computer. Malware or malicious BIOS get installed in any number of ways, including compromised ads or fishy “updates”. (Like when you're surfing the internet and a website suggests an “update” that isn't really an update, or a scam email.) Spectre and Meltdown can't put malware on your computer on their own, but they significantly increase the threat of malware once it's gotten onto your system.
As of 1/15/2018 there is no known active use of these vulnerabilities, but their existence is public knowledge. Odds are some troublemakers are developing a practical exploit for malicious use.
How to Protect Your Computer and Other Devices from Spectre and Meltdown
There are multiple vulnerabilities within each group, so there is no single fix for Spectre or Meltdown. Microsoft has released patches that reduce the threat, but they don't eliminate it – the fix only applies to the kernel. There are also BIOS / firmware updates being released by Dell, HP, Apple and others that will improve security for the kernel – only download these from official sites.
Update Your Operating System
For Microsoft Windows devices (desktop or laptop), make sure you get the latest patches for Windows AND your Anti-Virus/Anti-Malware. There may be multiple updates as different fixes are created. Some people who updated only the Windows operating system are getting the Blue Screen of Death (BSOD) with specific types of anti-virus.
If you are running Mac OS make sure you get the latest patches.
For mobile devices – update Android and iOS wherever possible.
Linux and other operating systems will have patches available through their update systems. For more information, we recommend searching for Meltdown/Spectre news for your specific Linux variant.
Use BIOS / Firmware Patches Where Available
The operating system updates help, but it's also a necessary to update your BIOS if an update is available. The firmware on your computer or mobile device is specific to the hardware vendor. HP, Dell, ASUS, Lenovo, Microsoft, Google and others have BIOS / firmware patches for each of the vulnerabilities.
- Dell BIOS Spectre/Meltdown Links – http://www.dell.com/support/contents/us/en/04/article/product-support/self-support-knowledgebase/software-and-downloads/support-for-meltdown-and-spectre
- HP Spectre/Meltdown BIOS and related Links – https://support.hp.com/us-en/document/c05869091
- Apple related Spectre/Meltdown related links – https://support.apple.com/en-us/HT208394
- Googles Updates: https://cloud.google.com/security/cpu-vulnerabilities/
Keep Your Computer and Other Devices Protected
There's always some new bug, or malware or security breach. It's up to you to protect your computer, phone, other internet connected devices and personal information.
We outlined basic steps that you can take to protect yourself in the post , “Internet Security – 12 Steps to Avoid Computer Viruses and Identity Theft“. It's a big list, but if you take it step by step it won't be overwhelming.
Remember, keep up with your updates and use virus protection. It may seem like a hassle, but the bad guys keep changing the way they attack, so we all need to stay vigilant.
You may also find useful:
- Rural Internet Options – A Comparison of Rural Internet Services
- When the Power Grid Fails – 10 Things You Need to Prepare
- Sole Proprietorship vs LLC – Are all Your Eggs in One Basket?
This post was written by August Neverman IV and August Neverman V. August is the Chief Information Officer and Information Security Officer of Brown County. He's served on several emergency preparedness teams during his tenure at a local hospital, as well as undergoing emergency response training during his time with the Air National Guard. He and his wife, Laurie, live with their two sons in a Green Built, Energy Star certified home with a permaculture twist. August V is the tech support that keeps Common Sense Home running. He also handles the audio/video recording and editing.