What are Spectre and Meltdown vulnerabilities?
Spectre and Meltdown are names given to two identified vulnerabilities found within the chip sets that power most computers. Meltdown is specific to Intel and Apple computer processors which are used in almost every personal computer. This would include Windows computers, MACs and Chromebooks. In addition to Intel and Apple chips, Spectre can affect almost all processor chips. Therefore, this vulnerability can be found not only in computers but also in tablets, smart phones or other smart devices.
How are these dangerous to me?
Either of these vulnerabilities might be used to steal sensitive data, such as password, off of your computer, tablet or smart phone.
Has anyone used Spectre or Meltdown successfully to steal data?
There have been no documented cases where someone successfully exploited these vulnerabilities.
How are these different from other software vulnerabilities that we hear about?
These are different from most computer vulnerabilities in that it is found within the hardware itself. In order to speed up processing, the chip manufacturers built code right into the chips. Usually hackers find vulnerabilities within a software program and the software developer then releases a software patch to address the vulnerability. For example, a vulnerability found in Microsoft Office would be addressed by a security patch issued by Microsoft. Since Meltdown and Spectre can be targeted to the chip itself, several approaches need to be taken to mitigate the risk. There will be three levels of patching:
- Firmware Level (Microcode)
- Operating System Level
- Application Level
Hardware and software vendors are releasing patches and updates for Spectre and Meltdown as they are available. The following two web sites offer a consolidation of information on these two vulnerabilities. You will find links for many computer companies:
How do I update my firmware?
There are many companies who use the Intel chip sets that are vulnerable to Spectre and Meltdown. The three manufacturers that are used most at the RIC and districts are:
HP
HP has published microcode updates for many of their servers: HP Server Firmware
Also, there are microcode updates for many of their laptops and desktops: HP Workstation Firmware
DELL
Dell is offering firmware patches that must be applied to each server or workstation via a BIOS update procedure.
This link is an overview of the DELL response to Spectre and Meltdown: Dell Response
This link has downloads for each BIOS and installation instructions: Dell Firmware
Cisco
Cisco has identified which models are vulnerable to these attacks: Cisco Update
VMWare
As mentioned in the Dell articles, the correct sequence of upgrades for VMWare is:
- Apply the firmware update via BIOS update.
- Apply the applicable operating system (OS) patch.
- Apply hypervisor patches, browser and JavaScript engines updates where applicable.
A step by step guide for upgrading a VMWare can be found here: VMWare Guide
How do I upgrade my software to prevent Spectre and Meltdown attacks?
The best thing that you can do is make sure that your computer is up to date regarding your anti-virus software and operating system updates. The recommended approach is:
- Update your anti-virus software and virus signatures.All major Anti-virus providers are adding protection against Spectre and Meltdown.Whether you use Sophos, McAfee, Symantec or any other anti-virus product, follow their procedure to update their software.
Here are some links to some common Antivirus software providers:
- Apply any updates from Microsoft, Apple and Google to protect your Operating System.
- Windows based PCs. Make sure that your system is set for Automatic Updates. The January 2018 Microsoft Security Updates include a patch that addresses Meltdown and Spectre. Please note that the Microsoft patch will only be installed on systems whose Anti-Virus software provider has confirmed that they comply with Microsoft software standards. The vendor must set a registry key that signals to Microsoft that they comply and it is safe to install the security update. This is why you must update your Anti-virus software first and then update your Operating System. Click here to view an online spreadsheet that tracks the progress of the Anti-virus providers in their patching and compatibility with Microsoft Updates.
The current patch for Windows 10:Windows 10 Update
The current patch for Windows 7:Windows 7 Update
Here is a Microsoft guide on Updating Windows.
- MAC computers. Apple released an Operating System update in December. Perform any OS upgrades that your computer suggests. Also, check the App Store for updates to software. To do this, click the Apple icon in the top left corner, select App Store, click Updates and select the MacOS update. Also in the App Store, you should update any software package that indicates that an update is available.
- Chromebooks. Google announced that it patched their Chrome Operating System on December 15th.
How do I protect my iPad or smart phone?
IPhones and iPads are vulnerable to Meltdown and Spectre. Apple has issued a patch in December as part of their IOS 11.2 release. To check and update your version of IOS, open the settings app, select General and then Software Update. You should also update any software program, such as Safari, that issues a new release. Click here for an Apple article on updating your Operating System.
Google has pushed out a fix to its own Android devices on January 2nd.If you want to check the software update status on a Google Nexus tablet or Google Pixel phone, Click here.
Other Android based tablets and phones will have to wait until the patches show up for their devices.Click hereto update your Android software manually.Consider purchasing an Android antivirus app and turn off "Unknown sources" in your Security settings.This can be done by opening your Settings app, select security and then uncheck Unknown Sources.
