What is the Meltdown and Spectre Vulnerability and why should we care?
Security researchers have discovered a set of complex flaws which are present in all modern computer processors (made after 2009) that can allow for the theft of data. These flaws have been referred to as “Meltdown” and “Spectre” in the media.
These vulnerabilities are important because they are relevant to nearly every computing device that we all use - PCs, Laptops, Smartphones, Tablets as well as many cloud computing services.
The Spectre flaw is particularly concerning as it can be leveraged by simply browsing the web using outdated software. Correcting this flaw is also a bit more involved than many past security vulnerabilities because it involves not only updating software but also firmware (software that is embedded in CPU & motherboard).
What Should We Do To Protect Our Personal Computers From These Flaws?
First off, don’t panic! There has been a lot of new stories that make it seem like there is little you can do to protect yourself. This is not true. With all of these flaws, the most important steps for you to take is to install all application, operating system, and firmware updates that are relevant to your computing device as soon as they are made available.
In terms of prioritizing checking/installing these updates, ITS recommends the following steps:
Step 1 - Make Sure Your Web Browsers Are Patched
- Firefox - Make sure you have the latest version of Firefox ( >= Firefox 57.0.4)
- Google Chrome - A patch will be release on 01/23 (Chrome 64); You can implement a work around to protect your PC before then by enabling a feature called Site-Protection.
- Safari - Make sure you are using Safari 11.0.02 by installing latest macOS update (for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6 - see below)
Step 2 - Patch Your Operating Systems (Windows, Android, MacOS, iOS)
Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan.
- macOS High Sierra 10.13.2 - Software update to mitigate the effects of Meltdown
- macOS High Sierra 10.13.2 Supplemental Update (for macOS High Sierra 10.13.2) includes security improvements to Safari and WebKit to mitigate the effects of Spectre (includes Safari 11.0.2 update)
- iOS 11.2.2 (for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation).
- Safari 11.0.2 for macOS El Capitan 10.11.6 and macOS Sierra 10.12.6 - includes security improvements to Safari and WebKit to mitigate the effects of Spectre
- tvOS 11.2.1 (Apple TV 4K and Apple TV (4th generation)
- Apple Watch is not affected by either Meltdown or Spectre.
- Currently there are no Meltdown mitigation updates available for macOS Sierra 10.2.6 or macOS El Capitan 10.11.6
Security patch levels of 2018-01-05 or later address all of these issues. Apply system updates as soon as they are available from your phone manufacturer.
In general, apply Microsoft updates as soon as they are available (see also important note below). Not all antivirus products are compatible with the recent security update that Microsoft released. If you have not been offered the security update by Microsoft, then you may be running incompatible antivirus software, and Microsoft recommends you consult with your antivirus vendor. Learn more…
Important Note! If your computer currently uses an AMD Processor, then ITS does not recommend installing updates just yet. Microsoft reported on 01/09/17 that the patches have caused crashes on many pcs using AMD processors. We expect this problem to be resolved in coming days.
Step 3. Update the Firmware of Your Personal Computers
Computer manufacturers (e.g. Dell, HP, Lenovo etc) are working on releasing new firmware updates for wide-range of computers they have sold. Firmware updates are specific to the type of computer and vendor. Check your vendor support site for more information on these updates and apply these firmware updates when they are made available. (Note for Apple Users: Apple bundled these firmware updates alongside software updates so no additional steps are needed for macOS computers and laptops).
A few links to common vendor support sites:
- HP - Downloading or Updating Software
- Dell - Drivers & Downloads
- Lenovo Technical Support
- ASUS Download Center
- Acer Service and Support
How is ITS Protecting University Systems?
ITS is actively taking steps to protect all University systems from these attacks using a risk based approach.
The software patches and fixes for these flaws have broader implications for enterprise computing environments vs. our consumer devices due to their technical nature. ITS is therefore testing the impact of some of these fixes to ensure continued stable operation of information services as we address the vulnerabilities. We are also taking steps to protect the campus against first wave attacks that are most likely to emerge in coming weeks.