Protect yourself from Meltdown and Spectre

You probably heard that there’s a new computer security threat out there. Well, actually there are two and between them they affect pretty much every computer chip you might have whether in your PC, tablet, smart phone or other devices.

The first is Meltdown it is a hardware rather than a software (apps) vulnerability and is present in the computer chips made by Intel that have the “x86” architecture, which is pretty much every PC with “Intel Inside”. The bug could let a hacker gain access to everything on your system, logins and passwords, bank details, encryption keys, personal documents and photos. However, once exploits for this vulnerability are known it was likely that the major cloud providers such as Amazon Web Services (AWS) and Google Cloud Platform would  be among the computers affected the worst (they have now been patched, I believe). ARM chips are affected by Meltdown to a lesser degree.

Microsoft and Linux providers have already hastily patched their “kernels” to overcome the Meltdown problem with Intel chips, so let your operating system carry out its updates urgently to stay protected. The Register describes the patching process as a requisite redesign of MS Windows and Linux.

Here’s how the site described its scoop on the vulnerability on Tusesday:

...a blueprint blunder in Intel's CPUs could allow applications, malware, and JavaScript running in web browsers, to obtain information they should not be allowed to access: the contents of the operating system kernel's private memory areas. These zones often contain files cached from disk, a view onto the machine's entire physical memory, and other secrets. This should be invisible to normal programs.

Unfortunately, for older Intel processors these patches will likely lead to a reduction in chip performance of up to 30%, which means your PC is going to run a lot slower than it did before this vulnerability was found and patched.

The other vulnerability, or should I say vulnerabilities, there are many, is referred to as Spectre. It is also a hardware vulnerability affecting Intel, AMD, and ARM chips. ARM processors are present in many of the world’s mobile devices and Internet of Things (IoT) devices from washing machines to smart TVs. In fact, Spectre affects pretty much every computer and smart device. It does not rely on specific features of the chip design present in Intel chips, but works across all of them.

There is no single patch for Spectre. Specific vulnerabilities may well be addressed with operating system updates but this one is not going away any time soon. According to The Register, a malicious script on a web page could churn away using Spectre bugs to extract login cookies for other sites from your browser’s memory. “It is a very messy vulnerability that is hard to patch, but is also tricky to exploit,” the site says. Chip designers are likely to have to design out the bug in their hardware to preclude attacks based on Spectre.

The industry has apparently known about Meltdown and Spectre for at least six months and has spent that time spinning its public relations campaigns working on solutions to the problems. Oh, if you’re running an older version of Windows than Windows 10, there will be no patches (time to upgrade your OS). More information about who is affected on the BBC site.

At least one tech blogger has a slightly different take on the whole issue suggesting that as long as you allow your operating system to patch itself/update you won’t have any problems and the 30% performance hit will only arise in rare, special circumstances for very few users. Either way, here’s my general advice on security that applies regardless of what bug or vulnerability is currently in the news:

What should you do?

  • Well, update your operating system in a timely manner as and when the providers release patches.
  • Update your antivirus and firewall.
  • Back up your data files now (should be done regularly anyway).
  • Lock down what you allow your web browser to run in terms of scripts, use a noscript type plugin/addon/extension and disable Flash and Java and their ilk, this will break some sites but they are vulnerable, and always were, to security insults and malware anyway).
  • Avoid downloading software/apps/executables from dodgy sites. If you must install software of unknown integrity use a sandbox/virtual machine to do so. (Google sandboxie for one of those).
  • Use a password manager for your logins, make it use strong passwords, and keep its master password secret and offline. Log out of and exit your password manager when you’re not using it or if you plan to visit websites that might be suspect so that its keys are not retained in computer memory and so it is not running should someone get access to your computer while you’re not using it.
  • Clear browser history and cookies every time you exit your browser or leave your computer unattended, this is an inconvenience, but means that someone in a shared office space or wherever, cannot harvest anything from you.