Posted by on 10 January, 2018

Modern CPUs use a process called speculative execution to operate much faster, which many processors use today. It has been incredibly useful. However, Google’s Project Zero group have discovered two vulnerabilities in this feature. It has proven itself to be an incredibly difficult thing to fix but there are finally official, functional patches available.

The first is Meltdown; it is an exploit which allows the attacker to view the contents of memory by breaking the isolation between user applications and the operating system. By accessing the computer’s memory, it can peek at all the sensitive data held by other applications. To emphasize the danger of this by elaborating, it can view literally everything your computer does, in real-time. Fortunately, there are software patches that can prevent this attack entirely.

Spectre is based off of Meltdown, and affects a much wider range of CPUs. This can be thought of as a response to bold claims that AMD and ARM processors are not affected. It works by breaking the isolation between different user applications in a way that forces the applications to display their sensitive data to the attacker, achieving the same effect as Meltdown. In fact, the more safety checks an application performs, the more vulnerable it is to Spectre. There are software patches that can cover certain exploits used by Spectre but it is much harder to stop than Meltdown. Fortunately, it is also harder for an attacker to use this exploit.

Many manufacturers have been claiming that they are not affected, many have been proven wrong. You can find a full list of affected processors here.

There is also some good news and bad news attached to this.

The good news:
1: These exploits are abused in a virus, they cannot run unless they have been installed on your machine. If you stay cautious of questionable links, websites, emails and downloads (do not torrent under any circumstances) and make sure you have an antivirus, you should be fine.
2: Although they can read all the information on your computer, they cannot actually change anything. They may be able to use this information to gain control of your computer through another method but there is a small chance of this, unless you are using the same password everywhere.
3: Although this does affect servers used for cloud based services (eg. Google Drive), they have already been patched and so your online data is secure.
4: We can fix it. weloveIT can check if you have any vulnerable devices on your network and ensure that they are all equipped with the latest defensive techniques for these exploits.

The bad news:
1: These patches considerably slow down the CPU they are implemented on. Performance differences vary based on the workload and model, but differences of up to a 30% decrease in speed have been reported.
2: Most PC and laptop processors since 1995 have been affected by this.

How to fix it:

Android Phones:
Simply go into Settings>Software Update. If it is a Google branded phone, it will download the update automatically and you just need to install it, with some models it will even install automatically too. These updates do not patch everything but patch many aspects of the exploit.

iPhones, iPads and iPod Touch:
Go to Settings>General>Software Update to gain a number of patches related to this exploit.

Windows PCs:
Go to settings>Update & security, then update.

Macs:
Open the App Store application, click on the Update tab and update your operating system.

Google Chrome web browser:
For Chrome on iOS (iPhone, iPad) Apple will deliver any necessary fixes.
On January 23rd a new version of Google Chrome should patch this, however there is already an experimental patch called Site Isolation which should fix it. To turn it on, follow these steps:
1: Save your work, you will need to quit and relaunch Chrome.
2: Enter chrome://flags/#enable-site-per-process into the URL field (where you enter the web address of a page you wish to visit) and hit Enter.
3: Where it says “Strict Site Isolation”, check the box labelled “Enable”.
4: Click “Relaunch Now”

Other browsers:
Competing browsers are also working on a fix that will be available with the next update.

Google Chromebooks:
Google claims that many Chromebooks are not affected at all. Those that are vulnerable received an update in Chrome OS version 63. Some older Chromebooks won’t get the patch, you can find the list of them here  -if it says “no” in the column titled ”CVE-2017-5754 mitigations (KPTI) on M63?” then it will not receive a patch.

Apple TV:
Go to Settings>System>Software Updates and select “Update Software”

Apple Watch:
Apple claims that this is not affected by Meltdown and they are working on patches for Spectre.

Google claims none of its other consumer-facing products are affected by these vulnerabilities.

Posted in: Day to Day