Meltdown and Spectre: A pair of newly-identified vulnerabilities in the world’s computer processors
Cyber + Co., No. 3
On January 3, computer security researchers with Google’s Project Zero, four universities, and several private companies published the pair of newly-discovered vulnerabilities, named Meltdown and Spectre.
What’s the problem?
Newly-discovered bugs in nearly every computer may allow hackers to steal the entire memory contents of the computers.
The vulnerabilities affect practically every computer released in the past two decades. This includes laptops, tablets, phones, smart tvs, and other smart devices.
(courtesy of https://meltdownattack.com/)
The vulnerabilities were discovered through the joint work of researchers at Google Project Zero (the company's team of security analysts tasked with finding zero-day vulnerabilities), four universities in the U.S. and Europe, and several private companies.
Who is affected by these bugs?
Everyone using a modern computer processor.
Am I affected?
Yes, definitely.
Should I really care?
Yes, most certainly. While the threat of attack appears to still be hypothetical, the potential vulnerability is massive.
What can be breached?
Everything stored in your device's memory. These vulnerabilities can compromise your device’s memory, including the sensitive data and passwords stored on the device.
Can my antivirus software block an attack?
No. Unlike most malware, Meltdown and Spectre are hard to distinguish from ordinary applications.
What should I do to protect myself?
Two things: keep your operating systems up to date, and install an ad-blocker on your web browser.
The best protection is to keep your device’s security updates current.
The Meltdown vulnerability is already being patched by companies like Microsoft, Apple, and Google.
Microsoft Windows: Microsoft has released a security update for Windows 10 on January 3 patching the Meltdown vulnerability, and will soon release patches for Windows 7 and Windows 8.
Apple: Apple has released a patch for the Meltdown vulnerability in the iOS 11.2 update and macOS 10.13.2 update.
Browsers: Chrome, Firefox, and Edge have all either updated or scheduled updates addressing the Meltdown vulnerability.
A secondary protection is to install an ad-blocker on your browser.
Nicholas Weaver explains why here.
Where can I learn more?
The researchers’ paper on the Meltdown vulnerability is available here.
The researchers’ paper on the Spectre vulnerability is available here.
Microsoft users can read the company’s security advisory here.
Google Cloud, G Suite, and Chrome customers can read the company’s summary here.
Apple users can read the company's security advisory here.
Additional official security advisories from affected companies are gathered here.
Can I see Meltdown in action?
Yes, dedicated reader who made it to the end of this post, you can.
About Cyber + Co.
Cyber + Co. is a periodic review of cybersecurity issues relevant to small businesses.
About the Author
Tom Cummins is the founder of Potomac Litigation. He has deep experience assisting clients in some of history’s largest data breaches, as well as a host of other cybersecurity incidents.