By now you’ve probably heard. A large portion of the world’s computer processors are vulnerable to at least one of two exploits that render them susceptible to hackers. But what, exactly, is going on — and what can you do to protect yourself?
While the answer to the first question is complicated, thankfully the answer to the second isn’t. It turns out that companies like Google and Microsoft have been working behind the scenes to create patches for what the security community has named Meltdown and Spectre.
But we’re not out of the woods yet, and, depending on your operating system, you still need to take some proactive measures to make sure your data is safe.
What’s in a name: Meltdown and Spectre
One of the reasons this latest threat is so complicated is because it’s actually multiple vulnerabilities that were unveiled at the same time. They’re similar in some ways, but differ in important others — a fact hinted at by their names.
According to researchers, Meltdown “basically melts security boundaries which are normally enforced by the hardware.” Spectre, meanwhile, “breaks the isolation between different applications” allowing “an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”
And what does that actually mean? Essentially, either of these vulnerabilities could be theoretically exploited to steal sensitive data, like passwords, off your computer. Spectre is also a threat to your smartphone, so no escape there.
Also, who named these exploits? The names are 🔥🔥🔥 and so correctly evocative of the issues raised by the two different but related structural issues. Spectre haunting all modern chips… The Intel meltdown… Sometimes geek poetry is real poetry. 😀
— zeynep tufekci (@zeynep) January 4, 2018
Furthermore, while Meltdown can be mostly mitigated with software patches, it is thought only certain exploitations of Spectre can be stopped in this manner. In other words, the latter is going to haunt us for some time and either could potentially require new processors for a complete fix (maybe).
So, who has patched?
Companies, if they haven’t already, are rushing to release the aforementioned “mitigations” against possible attacks that could exploit Meltdown or Spectre (a helpful patch list can be found on the Computer Emergency Response Team site). Why mitigations? Well, because the patches and updates mitigate the risk — but might not remove it completely.
Microsoft, on Jan. 3, released an update for devices running Windows 10 that was downloaded and installed automatically.
Google, for its part, issued a lengthy blog post on the same day detailing all the steps it had taken to protect users against both Spectre (Variant 1 and 2) and (Variant 3). While a lot of that work happened behind the scenes, there are still some actions you need to take yourself. For example, you should definitely enable site isolation on Chrome.
Android devices with the most recent security updates are also protected from the above mentioned variants.
Apple was a little late to the customer-facing party, but on Jan. 4 made it clear that it is indeed paying attention. Specifically, the company said that — just like with its competitors — its products are at risk. That includes “all Mac systems and iOS devices,” to be exact.
But wait, there’s good news! Patches to help defend against Meltdown were released in iOS 11.2, macOS 10.13.2, and tvOS 11.2, and Spectre-focused patches for Safari should be hitting “in the coming days.”
What do I need to do?
Meltdown and Spectre are the real deal, and rightly have security professionals concerned. However, at this time there are plenty of things you can do to protect yourself that don’t involve buying a new computer.
Security researcher Matt Tait writes that, at least when it comes to Meltdown, typical computer users can mostly breathe easy. First and foremost, make sure your system is up to date. Download any all all patches for your operating system and browser of choice.
But, because more updates are coming down the pike, you’re not done. Be on the lookout for any and all future security releases and make sure to install them immediately. Don’t pull the classic “remind me later” bit.
And what about Spectre? This one is a little trickier.
“Spectre is harder to exploit than Meltdown, but it is also harder to mitigate,” explain the researchers behind the discovery. “However, it is possible to prevent specific known exploits based on Spectre through software patches.”
In other words, while nothing is perfect, much of the same advice applies as with Meltdown: update, update, update.
Which, well, has always been good advice.