Meltdown and Spectre – what a mess

By Raffi Jamgotchian | Security

Jan 04

What's going on…

Security experts from Google's Project Zero team, have discovered flaws in processor chips that are used in the majority of the world's computers and smartphones. These flaws allow for an attacker to avoid security boundaries that are normally enforced at the lowest processing levels of the CPU (known as the kernel) to access private contents of that location's memory such as security keys and passwords.  Meltdown was specifically problematic for cloud computing vendors who have clients running on the same hardware.  A compromised computer would provide information from other clients that are running on the same hardware.  The large cloud vendors like Microsoft, Google, and Amazon have all patched their systems to protect against this sort of thing from happening.

Spectre will not be able to be fixed without processor redesign and hardware replacement but is more difficult to exploit. These design flaws affect PCs, Macs, and phones. The Meltdown flaw's patch may reduce computer performance as much as 30%. Microsoft has released a patch as has Linux. Apple has a partial patch and will have a more complete patch for their Mac's soon. Meltdown doesn't seem to affect non-Intel based computers/phones.

What you can and should do…

Nothing

Ok, not nothing. You should continue to do what you normally do to keep your systems up to date.  Make sure you have the latest Antivirus updates, make sure you have updated your operating systems from Microsoft and Apple, or your mobile carriers for your phones.  Note that these fixes may slow down your computer from a little bit to a little more than a little bit. Your IT folks will have a bit of work to do to make sure any hosted/virtual servers are patched up to date.

But there's a catch…

Unlike most updates this one is a bit tricky because it affects processors at the lowest levels. As a result there have been reports of the Microsoft Patch causing machine crashes (blue screen).  Microsoft as a result modified its patch to only install if Antivirus vendors have ensured that the A/V software is up to date and compatible with the patch through setting a flag on the computer.  The rub is not every A/V company is setting this flag as of yes.  Some will in the future, others do not plan to.  So the only away around this is to set the flag yourself.  If you follow the Bleeping Computer article linked below, it will give you some instructions based on the Antivirus software and whether you need to do the manual flag yourself.

We will be doing this on behalf of our clients–but you will have to follow for your home computers.

Reference and further reading…

(https://www.nytimes.com/2018/01/03/business/computer-flaws.html)
(https://thecyberwire.com/issues/issues2018/January/CyberWire_2018_01_04.html)
(https://www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/)
(https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-worst-cpu-bugs-ever-found-affect-computers-intel-processors-security-flaw)

Follow

About the Author

I started Triada Networks in 2008 to service boutique asset managers and to help registered investment advisers get the most of their technology investments. I’ve been providing information technology solutions for the financial services community in New York Metro for a long time now, and I’ve seen how businesses must adapt to the changes in the market and in technology in order to succeed.