What are Spectre and Meltdown?
Spectre and Meltdown are security vulnerabilities found in many x86 / x64 processors ranging from Intel, ARM and AMD. It could allow attackers to steal your passwords and other sensitive data.
Some have suggested that the only true patch for these issues is for chips to be replaced, but this solution is not practical for a lot of users and most especially companies.
Vendors have been rolling out fixes and firmware updates. The Meltdown flaw has already been patched by most companies but Spectre is not easy to patch and will be around for quite some time.
Here’s the list of available patches so far:
Microsoft (Windows 7/8/10), EDGE, IE
They have already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8.
“The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory,” Microsoft noted in a blog post. “These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot.”
Apple macOS, iOS, tvOS, Safari
Apple said in their advisory that “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.”
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, to help defend against the Meltdown attacks and they are now planning to release mitigation in Safari to help defend against Spectre in the coming days.
According to Google, Android users running the most recent version of the mobile operating system released on January 5 as part of the Android January security patch update are protected.
However, proprietary Android users other than the ones from google’s Pixel or Nexus will have to wait for their device manufacturers to release a compatible security update.
The Firefox version 57.0.4 includes mitigations for both Meltdown and Spectre timing attacks. It is advised to update your browser as soon as possible.
“Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox,” Mozilla software engineer Luke Wagner wrote in a blog post.
Google Chrome Web Browser
There is a scheduled the patch for Meltdown and Spectre exploits that will be delivered on January 23 with the release of Chrome 64. It will include mitigations to protect your desktop and smartphone from web-based attacks.
In the meantime, users can enable an experimental feature called “Site Isolation” that can offer some protection against the web-based exploits but might also cause performance problems.
“Site Isolation makes it harder for untrusted websites to access or steal information from your accounts on other websites. Websites typically cannot access each other’s data inside the browser, thanks to code that enforces the Same Origin Policy.” Google says.
Here’s how to turn on Site Isolation:
- Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
- Look for Strict Site Isolation, then click the box labelled Enable.
- Once done, hit Relaunch Now to relaunch your Chrome browser.
The Linux kernel developers have also released patches for the Linux kernel with releases including versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97, which can be downloaded from Kernel.org.
Patches for Ubuntu are already available wherein Citrix XA/XD 7.1 CU1 has immunity to this vulnerability.