Just three days into the new year, we’ve been hit by news of a significant IT security problem that plagues the processor chips used in just about everyone’s computers, pretty much most servers, and also likely many mobile devices. The vulnerabilities, there being more than one variant, have a name now: Meltdown and Spectre.
If you haven’t read up on an executive summary of what Meltdown and Spectre are about, this piece from Techcrunch should quickly bring you up to speed. The security flaws are at the processor level, so the vulnerabilities affect any operating system or environments running on them. Meltdown affects Intel processors, and thus any operating system like Windows, macOS, and Android, are all affected. Spectre affects Intel, AMD and ARM-based processors, so it’s reach is far greater, but it’s also somewhat more difficult to exploit.
For Mac users, you’ve got some good news. Apple has already patched against Meltdown in the macOS 10.13.2 update released in December 2017. If your Mac is up-to-date, you’re already patched against Meltdown. However, it is likely that the fix for Spectre is not in there yet, and will only be available in 10.13.3, unless Apple releases an interim security update.
For Windows 10 users, you need the 2018-01 Cumulative Update for Windows 10, or specifically the KB4056892 security update. The update was supposed to have become available through Windows Update mechanism from 5pm ET on 3rd January, but my PC strangely did not see any available updates even though I tried to check manually. I’d advise that you check that your PC is actually patched.
The patch is also available for Windows 7 and 8 users now, but you’d need to download the update manually, or wait till the regular Patch Tuesday to receive the fixes through Windows Update.
The reach of Spectre into ARM-based processors means that a lot of mobile devices are going to be affected. This is a significant problem because it’s less likely to see many of these devices ever receiving software fixes, such as older Android device from manufacturers that don’t have the resources to continue supporting them. On that note, all Google devices are already fixed with the 2018-01-05 security patch level.
This underscores the importance of using a flagship smartphone from a large reputable manufacturer that will continue to provide support for a reasonable time, or better yet, get a smartphone that is directly supported by Google themselves (or an iOS device for support from Apple). This is, unfortunately, a sad situation for most users. Given how much our lives are entwined in all forms of electronic gadgety and the Internet, you cannot get away not wanting to care about IT security.
If you are interested in the technical details of Meltdown and Spectre, check out Google Project Zero’s blog posting. From a technical perspective, the vulnerabilities are quite fascinating.