You have probably already heard about Meltdown and Spectre, a pair of disastrous vulnerabilities with serious consequences for PCs, tablets and phones, cloud servers, and different Apple products. These hardware vulnerabilities are design errors in virtually every Intel CPU manufactured since 1995, and many AMD and ARM64 CPUs.
Meltdown and Spectre allow malicious software to access kernel memory, potentially exposing sensitive data like passwords, private keys, personal data like email and photos, or anything of value you have used on your computer. This can be a malware-infected application you accidentally install on your phone or computer, or even a shady extension installed on your browser.
It isn’t clear if anyone has exploited the vulnerability yet, but the bad news is that attacks won’t leave any traces like logs because they will be using a design flaw that appears totally legit to antiviruses.
The good news is that Meltdown and Spectre have been responsibly disclosed by independent parties, and software and hardware manufacturers have already rolled out mitigations and bug fixes–although still not for every aspect of it. The Graz University of Technology, one of the parties who discovered both flaws, has set up a website where you can find further information about Meltdown and Spectre.
To keep it practical we have put together all the measures you should take to have the best protection currently possible against these vulnerabilities.
How to protect yourself against Meltdown and Spectre
To protect yourself against intel’s CPU flaws, you should take the following steps, in order of priority:
- Update your operating system
- Update your firmware
- Update your software, especially your browser
- Keep your antivirus updated and active
Updating the OS
The most important step is to update your operating system right now. According to Jann Horn from Google Project Zero who found out about Meltdown, “effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013),” is potentially affected. Major OS makers have already released security updates for their systems.
If you have a PC running Windows, you should first check whether your antivirus is compatible with Microsoft’s latest update. You can do that by looking up your antivirus on Kevin Beaumont’s updated list. According to Microsoft, they are “offering the Windows security update released on January the 3rd, 2018, to devices running antivirus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.”
Windows automatically downloads and installs the 3rd January patch, Windows 10 KB4056892, if your AV is compatible. You can check that by going to Start > Settings > Update & Security > Windows Update>View installed update history.
The logic behind it is a registry key/value pair set by AV vendors that indicates their compatibility with the new update. If your AV is not compatible, do not manually download the patch. It could lead to the blue screen of death. You can disable your AV and use Microsoft Defender while your AV vendor fixes its product.
If your AV is compatible with Microsoft’s latest patch but does not set the registry key, you can download KB4056892 here. Make sure you grab the right update for your PC architecture. To find out if your system runs a 32-bit or 64-bit Windows, simply type “system” in Windows search and click the topmost result. Under System, you can determine your OS architecture.
You have also the option to set the registry key manually—I repeat, first, make sure your AV is compatible—and let Windows do the rest.
If Windows does not update automatically, you can force it to do so by going to Start > Settings > Update & Security > Windows Update, then click the Check now button under “Update status.”
[Update: According the The Register, Athlon-powered machines won’t work after Microsoft’s KB4056892 patch. Meltdown does not affect AMD CPUs but they are susceptible to Spectre. Many users have reported that prefectly working working machines have crashed after the patch, without any option to roll back. The best possible solution right now seems to be disabling Windows update for AMD Athlons.]
If you have a Mac, you can feel relieved since Apple has silently released Meltdown protections into macOS High Sierra 13.10.2 in December. If your mac is not automatically updated, go to the App Store’s Update tab and force it to do so.
If you have a Chromebook, it should be already updated to Chrome OS 63 in December, which contains protections against the CPU flaws. If it isn’t updated yet, force it to do so.
There is also a patch for Meltdown on Linux systems. For further info, you can refer to nixCraft’s detailed tutorial.
But the bad news is that the update can slow down your PC between 5 to 30 percent. It depends on various factors including the CPU model (newer processors are less affected), the type of work you do, and the workload you put on your CPU. The estimates and tests vary widely and while Intel plays the impact down by stating that it is fairly small for most consumer applications like games or web browsing, others believe differently.
Updating the firmware
On January 4, Intel issued a statement saying it expects to “issue updates for more than 90 percent of [its] processor products introduced within the past five years” by the end of next week. The microprocessor giant also created a detection tool that helps you determine whether your CPU’s firmware is updated or not.
As you can see, the laptop I’m working on has a vulnerable firmware but unfortunately patching it is not as easy as it may seem. By going to the link provided by Intel’s tool I’m told that I need to “Contact [my] system or motherboard manufacturer regarding their plans for making the updates available to end users.”
Fortunately, there is a section on the page where many manufacturers are listed with special pages regarding the update. Happily, I hop over to a page on Lenovo’s website to find out that other than general information about the vulnerability, there are only some dummy placeholders for the firmware updates to come. There are some other major manufacturers listed like Dell, HP, Toshiba, etc. but I assume that at this early stage they are not much better off than the one company I checked.
Update your browser and other software
Spectre can trick software into accessing kernel memory. Intel, AMD, and ARM chips are more or less affected by the vulnerability. Therefore, software applications need to be protected against Spectre. Since browsers are the most exposed pieces of software on every computer, they’ll be probably the first targets for attackers. A browser extension or even the mere visit of a website running malicious JavaScript code could expose your system. All major browsers have already issued updates protecting against Spectre. Firefox 57 includes some defenses against Spectre. Microsoft Edge and Internet Explorer are updated along the operating system. And Chrome 63 has added “Site Isolation” as an experimental feature. You can enable it by going to this link (chrome://flags/#enable-site-per-process) and clicking on Enable.
Keep your antivirus updated and active
According to experts, traditional antiviruses can’t detect Spectre or Meltdown attacks, since they are totally legitimate from a processor’s design point of view and generic detection algorithms won’t work. But attackers need to inject the malicious code into your system before exploiting the vulnerabilities and antiviruses decrease your attack surface. In addition, running an updated AV will help your system to detect known viruses exploiting Meltdown or Spectre by comparing binary signatures.
Hope this helps. Please let me know your experience or anything I need to add to the post.