Security researchers revealed disastrous flaws in processors manufactured by Intel and other companies this week. The vulnerabilities, which were discovered by Google’s Project Zero and nicknamed Meltdown and Spectre, can cause data to leak from kernel memory—which is really not ideal since the kernel is central to operating systems and handles a bunch of sensitive processes.
Intel says that it’s working to update all of the processors it has introduced in the last few years. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” the company said in a statement yesterday.
Unfortunately, Meltdown and Spectre impact a ton of different products—cloud services, computers, phones, and browsers. Luckily, in many cases, consumers won’t have to do much to secure their devices and services; they’ll just need to keep an eye out for updates and install them when they become available. In some cases, you may simply be out of luck.
Apple said on its support page that it mitigated the Meltdown vulnerability in its December 2017 macOS High Sierra 10.13.2 update and will release an update to address Spectre soon. The company said it is continuing to “develop and test further mitigations for these issues,” which it says will be released in later updates.
This Apple security update appears to confirm that the issues are fixed in High Sierra, Sierra, and El Capitan.
Microsoft typically puts out its security updates on Patch Tuesday (which is coming next week) but has some emergency patches out now.
“Microsoft has not received any information to indicate that these vulnerabilities have been used to attack customers at this time,” the company said in a security advisory. “Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required.”
Microsoft says Windows 7 Service Pack 1, Windows 8.1, and Windows 10 all need updates (the update for Windows 10 is here). Most Surface users receive auto-updates and information about those updates is available here.
Unfortunately, users who are running Windows on machines not manufactured by the company will also need a firmware update, and the release of those will vary based on the manufacturer. Microsoft recommends contacting the device manufacturer for information, which... good luck, I guess.
There’s also another weird wrinkle in the Microsoft update process—some anti-virus software might mess with the updates.
“Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update,” Microsoft explained. “If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor.”
Security architect Kevin Beaumont is running a helpful spreadsheet that shows which anti-virus vendors are compatible with the Microsoft update.
Google Chrome OS
To be protected against Meltdown and Spectre, you need Chrome OS 63, which rolled out in December 2017. Some older devices will get patches soon, while others aren’t getting patched at all. You can check your specific device here (look out for end of life, or EoL, in the auto-update column or the ‘KPTI eventually?’ column—it means your device probably isn’t gonna get a patch).
There aren’t patches for Ubuntu yet, but those are coming soon.
“The original coordinated disclosure date was planned for January 9 and we have been driving toward that date to release fixes. Due to the early disclosure, we are trying to accelerate the release, but we don’t yet have an earlier ETA when the updates will be released. We will release Ubuntu Security Notices when the updates are available,” Ubuntu said.
Apple said its December 2017 iOS 11.2 update mitigates the Meltdown vulnerability, so update your device if you haven’t already. Apple’s tvOS 11.2 also included a Meltdown patch. The company said that “Apple Watch is not affected by Meltdown,” so no patch for watchOS is required.
Updates to address Spectre are forthcoming, the company said, while warning users to avoid downloading apps from unknown sources.
“Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store,” Apple said.
“On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices,” Google said.
The company pushed out a patch to manufacturers of Android phones in December 2017, but the Android security update process can be notoriously slow because manufacturers all have their own update schedules, and some old Android devices might not get updates at all. However, older Android devices that haven’t been updated in a while are also likely vulnerable to a host of other bugs—they’re not likely to be targeted with a Meltdown or Spectre exploit when an attacker could easily choose a less complex method.
Android users with Pixel or Nexus devices will get their patches sometime this month, according to Google. Nexus users need to accept the update; Pixel users will get it automatically but need to reboot their devices for the update to complete.
“We have had no reports of active customer exploitation or abuse of these newly reported issues,” Google noted.
Chrome 64 is scheduled for release on January 23 and will include protection from Meltdown and Spectre exploits.
In the meantime, Chrome has an optional feature called site isolation that can offer some protection but might also cause performance problems, particularly in Chrome on Android. Site isolation sandboxes websites into different processes, which “makes it harder for untrusted websites to access or steal information from your accounts on other websites,” according to Google.
“With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process,” Google explained.
If you’re okay with trading performance issues for better security, you can enable site isolation here.
An update for Safari has not yet arrived, but Apple promised one that will protect against Spectre will land “in the coming days” for both the macOS and iOS versions of the browser.
Like other companies that have addressed performance concerns related to Meltdown and Spectre updates, Apple took an optimistic tone, saying that current tests show the forthcoming update for Safari “will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5 percent on the JetStream benchmark.”
Mozilla rolled out Firefox 57 in November 2017, which contains what the company calls a “partial, short-term mitigation” for the vulnerabilities.
“The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes,” Mozilla software engineer Luke Wagner wrote in a blog post. “In the longer term, we have started experimenting with techniques to remove the information leak closer to the source.”
Microsoft Edge and Internet Explorer
Updates are available for both Edge and Internet Explorer 11.
“We are making changes to the behaviour of supported versions of Microsoft Edge and Internet Explorer 11 to mitigate the ability to successfully read memory through this new class of side-channel attacks,” Edge’s principal project manager, John Hazen, wrote in a blog post. “We will continue to evaluate the impact of the CPU vulnerabilities published today, and introduce additional mitigations accordingly in future servicing releases.”
This is where stuff with Meltdown and Spectre gets really messy—but also where consumers will see the least impact.
Amazon Web Services
Most AWS instances are already secured, Amazon said in a security bulletin. However, customers do need to take some action to secure their data.
“While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems,” Amazon explained.
Like AWS, most of Azure’s infrastructure has already been updated, Microsoft said.
“Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required,” Microsoft added.
Google Cloud Platform
Some Google Cloud products are already secured, while others require customers to take action—particularly Google Compute Engine, Google Kubernetes Engine, Google Cloud Dataflow, and Google Cloud Dataproc.