ISMAR
Your Source for Information Security Monitoring, Analysis & Reporting. Since 2016
Meltdown and Spectre: how to stay safe
If you've been following ISMAR for a while, you know that we discuss all the major security threats by either writing articles about them, or pointing you to relevant news that discuss them. This time we've got some sad news for the entire IT world: most CPUs are plagued by two major security flaws, which could allow hackers to get access to all the information that is stored in your computer's memory. And I'm not only talking about desktops or laptops here, but also about mobile devices, cloud servers, and more.
And the bad news doesn't stop here: according to researchers, Spectre can't be easily patched through a software update; it seems that it will require a CPU redesign. Still, this vulnerability is a bit harder to exploit. On the other hand, Meltdown can be successfully patched through software, but the speed of your computer may be decreased by 20...30% after applying the patch. This is especially true for devices that utilize older CPUs.
The good news is that Google and Microsoft have already created patches for their operating systems, and Apple has announced that they'll do the same thing soon.
Linux is affected as well, and this means that one in three servers is now vulnerable. Cloud computing services which are provided by huge companies such as Amazon and Microsoft are at risk as well. According to them, the flaws of their servers are already fixed as you read this article, but system developers will need to update their cloud-based applications as well.
Mobile users are going to have to wait more, of course, until their phones' manufacturers will update the customized Android operating system that they are using for their smartphones. I bet that some manufacturers won't be too eager to patch the older phones, thus prompting their users to purchase new devices.
So, what can you do to stay safe? Begin by updating your operating system and applications. Some OS manufacturers choose a specific day of the week (Tuesday for Microsoft, for example) to send out updates and patches, but it is best to search the official download sites manually on a regular basis, until you are able to download the Meltdown and Spectre fixes for your device.
One word of advice, though: Microsoft has warned that its patches may conflict with a few antiviruses. If this happens, you will be unable to apply the patch. Under these circumstances, it is best to uninstall the antivirus, replacing it with one that comes from a different company, and then try to apply the patch again.
Once that the patches are in place, verify if they do their job by downloading, and then running this application. If all is well, you will be greeted with a window which tells you that your system is protected against the Meltdown and Spectre vulnerabilities, that the Microcode update is available, and that the CPU performance is still GOOD, even after applying the Meltdown patch.
Then, install, activate and use an ad blocker. Your computer may get infected even while you are visiting a 100% safe website, if it displays advertisements that come from malicious sites. It's best to block all the ads, at least for a while. I bet that you didn't like them that much anyway.
Limit your Internet browsing activity. If you jump randomly from one unknown site to the other, stop doing that right now. Only visit the sites that you know and trust. If a site doesn't use the secure HTTPS protocol, avoid going to it. It's that simple.
It looks like Meltdown and Spectre will be with us for a while. While the Meltdown vulnerability can be fixed for good, even if this may lead to a significant CPU slow down, it looks like Spectre will be with us for a while. It is true that OS manufacturers do their best to patch Spectre as well, but researchers say that the only 100% safe fix is a full CPU redesign.