On January 3, two vulnerabilities known as Meltdown and Spectre were made public by security experts. These vulnerabilities affect microprocessors (also known as CPUs) in most desktops, laptops, servers, phones, and tablets. Since the mid-90s, most processors have optimizations that let them preload bits of data associated with data currently in use. While this speeds up processing, security researchers discovered that this preloaded data can be accessed by malicious code.
Like most exploits these days, malicious code would most likely make it to your device via a link or attachment in a phishing email. If you click on a link to a malicious site, it could take advantage of these vulnerabilities to access your computer memory, enabling the capture of passwords and other information.
Protecting yourself from these vulnerabilities may involve more than just applying patches through auto-update. For example, to fully patch Microsoft systems you need to ensure that your anti-virus software is compatible and up to date, and apply a firmware patch (suspending BitLocker encryption while you update the firmware). If you are running an older device, there may not be a firmware update available.
Operating system, software, and hardware vendors are working to mitigate these vulnerabilities and are continuing to update the public on current best practices. The best course of action is to pay attention to what your operating system, browser, and device vendors suggest and apply patches as they are released for your specific platform.
While IS&T does not advocate procrastinating on patching, please be cautious and ensure that your combination of operating system patch and firmware is compatible. Earlier this week, patching for some older AMD processors running Microsoft and some Ubuntu 16.04 machines left the computers in an unbootable state. Due to the complexity of these vulnerabilities, it’s likely that patching will continue through the next month or two.
For the average end user there is no need to panic. These vulnerabilities have received a lot of press and they are significant, but they are currently considered a medium severity risk and difficult to use in an exploit. Continue to practice good security habits like keeping your operating system and browser up to date, avoiding malicious websites, choosing strong and unique passwords, and using two-factor authentication where possible. These measures will go a long way to protect you from these and other vulnerabilities.
If you have questions about Meltdown and Spectre, or would like help patching your system, contact your local IT support provider or the IS&T Service Desk.