Meltdown and Spectre CPU flaws threaten PCs, phones and servers
By now you’ve probably heard about a bug Intel is dealing with that affects processors built since 1995. But according to the people who found “Meltdown” and “Spectre,” the errors behind these exploits can let someone swipe data running in other apps on devices using hardware from Intel, ARM and AMD. While server operators (like Amazon) apply Linux patches to keep people from accessing someone else’s information that’s being executed on the same system, what does this mean for your home computer or phone?
Google’s Project Zero researchers identified the problems last year, and according to its blog post, execution is “difficult and limited” on the majority of Android devices. A list of potentially impacted services and hardware is available here, while additional protection has been added in the latest Android security update.
In a statement, Microsoft said: “We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD.” In a blog post directed towards customers on its Azure server platform, the company said its infrastructure has already been updated, and that a “majority” of customers should not see a performance impact.
Apple has not publicly commented on the issue, however security researcher Alex Ionescu points out that macOS 10.13.2 addresses the issue and said that the 10.13.3 update will include “surprises.”
According to AMD, “Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time,” however it has promised further updates as the information comes out. As for ARM, it says most processors are unaffected but it has specific information on the types that are available here.
So what does this mean for you? On your devices the prescription is the same as always — make sure you have the latest security updates installed and try to avoid malware-laden downloads from suspicious or unknown sources.
Update: We’ve seen a slew of other announcements join the parade, including details from Microsoft on its Windows patches. One thing to be aware of is that the update is only going out if users are running “compatible” antivirus software, so if it doesn’t show up for you then that could be the reason.
Another consideration is that this attack could be executed via a malicious webpage loaded in your browser, so there’s an update for Internet Explorer too. Google noted that turning on Site Isolation in Chrome will mitigate potential attacks, and also said that when it releases Chrome 64 later this month, it will contain protective updates. The folks at Mozilla have confirmed that browser-based attacks are possible, and are taking measures to reduce that possibility starting with version 57 of Firefox.
Separately, VMware has updated its products to address the issue.
(34)