How to Protect Against Meltdown & Spectre Security Flaws

Jan 5, 2018 - 22 Comments

Meltdown and Spectre vulnerabilities have their own logos

Two major security flaws have been found in modern computer processors, potentially impacting nearly all modern computers in the world.

All Macs and iOS devices along with most Windows PC and Android devices are potentially susceptible to the critical security flaws, named Meltdown and Spectre.

Theoretically, the vulnerabilities could be used to gain unauthorized access to data, passwords, files, and other personal information on any impacted computer or device.

What are Meltdown and Spectre?

The vulnerabilities are described by security researchers as follows:

“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”

Having security flaws that potentially impact nearly every computer and smart phone on the planet is obviously fairly major news, and you can read more about it here, here, or here if you’re interested.

Apple has acknowledged the problem with an Apple Support article here, which cautions the following:

“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”

So what should you do? And how should you defend or protect against these security vulnerabilities?

How to Defend Against Meltdown and Spectre

The easiest way to avoid potential security trouble with Meltdown or Spectre vulnerabilities is to take a multi-prong approach to computer and device security:

  • Avoid untrusted software, and never download anything from untrusted sources
  • Use an updated web browser that contains relevant patches for these security flaws
  • Install relevant security updates and/or system software updates when they become available for your device or computer

By the way, those are good general computer security tips to practice… even after the threat of Meltdown and Spectre passes thanks to software updates. Let’s detail a bit further:

1: Avoid Sketchy Websites and Dubious Downloads

Do not download untrusted software or anything from an untrusted source, ever. Not downloading sketchy software from sketchy sources is good computing advice in general, not only to protect against Meltdown and Spectre, but also to prevent other potential malware and junkware from ending up on your computer.

Never accept an unsolicited download. Never install software that you did not specifically seek out to install. Always download and get software from trusted websites and sources, whether it’s the software developer, the vendor, or a place like the App Store.

2: Update Your Web Browsers

Another potential attack vector comes from web browsers. Fortunately, major web browsers have been (or will be) updated to ward off potential problems:

  • Firefox version 57 and later are apparently patched
  • Google Chrome will apparently be patched on January 24 with version 64 or later
  • Safari will apparently be patched in the near future for Mac, iPhone, and iPad

For Windows users, Microsoft Windows 10 and the Edge browser have been patched, and updates for other versions of Windows are due out as well. Tthe latest versions of Android have apparently been patched by Google as well.

If you’re concerned about using an un-patched web browser in the meantime, you could shift to a patched browser for the interim period until the primary browser gets repaired. For example, you could download and use Firefox 57 (or later) for a few days until Safari or Chrome gets updated.

3: Install Security Updates and/or Software Updates When Available

You will want to be sure to install relevant security updates when they become available for your devices and computers.

Another option is to update operating system software to major new release versions. Apple says they have already released mitigations for Mac, iPhone, iPad, iPod touch, and Apple TV running the following system software or newer:

It remains to be seen if Apple will issue independent security update patches for prior versions of Mac OS system software, but in the past Apple has often done this with the prior two system software releases. Hopefully macOS Sierra 10.12.6 and Mac OS X El Capitan 10.11.6 will receive separate future security software updates to protect against Meltdown and Spectre, since not all Mac users can or want to update to macOS High Sierra.

Apple Watch and watchOS are apparently not impacted.

TLDR: Significant security vulnerabilities have been discovered on basically all modern computers. Keep an eye on the Software Update mechanism of your Mac, iPhone, iPad, other computers and smartphones, update your apps and web browsers, and install security updates when they become available.

.

Related articles:

Posted by: Paul Horowitz in News, Security

22 Comments

» Comments RSS Feed

  1. R.U. Kidding? says:

    Still … has anyone read about any infections or breaches because of this processor dilema?

    After the “fix” will we see performance drops? (I have not experienced any).

    And am I at risk if my drive is encrypted?

  2. firefox 57 is horrible says:

    firefox 57 is horrible.

  3. Lee says:

    “Upgrade” to 10.13, lol pass! 10.12.6, no Java, FireFox and dont be stupid and install unknown stuff

  4. BrooklynBob says:

    Regarding the security update described at https://support.apple.com/en-us/HT208331, there is nothing to indicate patches for El Capitan or Sierra against “meltdown” were included. The real question is WHY Apple did not include patches, and when (if ever) will Apple release patches for these versions.

    On a side note: Apple’s record with security is atrocious, and they are just as flawed as Microsoft. The difference is Apple rarely (if ever) acknowledges security (or other) issues with their operating systems, whereas Microsoft regularly addresses issues and is more agressive with the release of patches (this is in part due to their corporate clients).

  5. Stew says:

    One thing does bother me. Is this another case of running away screaming when no one is actually chasing you? They were trying to keep it quiet and just fix it, but it got enough attention it leaked anyway. I don’t understand why they broadcast it and give hackers a chance to exploit it, however short that may be.

  6. Stewart Halbig says:

    I would think this is an issue that will be back-traced and find the original developers and prosecute. Of course the possibility exists that this vulnerability was totally unknown at that time.

  7. Austin Nolan says:

    The original Macs had their Apple chips then they changed them to Intel with the slogan Mac with Intel inside, was this a wise move on reflection

  8. septic-sceptic says:

    OMG!!!! perhaps it would be best if we ditch all our hardware and BUY SOME NEW STUFF (…)

  9. Tim says:

    Trang: I use Office for Mac 2011 too! Predominantly for WORD and I’m running high Sierra as well! Thanks for the heads up! Office for Mac 2016 is available but it’s another $99. This news about these vulnerabilities is a little overwhelming! I can’t remember another year that has passed without so many issues with hacking and vulnerability holes. Updates are fine but they’ll never be Air-tight! The expectation of a perfect world is unimaginable anymore!

  10. Alex says:

    I haven’t hear about a class-action against Intel yet.

    Why?

    • Troughy says:

      There probably will be, but it’s not just Intel, it’s also AMD and ARM. Maybe even Motorola and PPC, if you remember those. It’s basically every semi-modern processor because the “bug” or “flaw” is a result of how modern processing works, which basically pulls multiple instructions through the processor at once to speed things up. It’s an underlying core architecture thing.

  11. Trang says:

    If we search with google, we must click on results. I always check the green WOT dot that signifies that this is deemed trustworthy by WOT users. All of a sudden, it sent me to another site with big red warning, deemed untrustworthy by WOT. I precipitously escaped.

    If even WOT did not detect a bad website, how could browsers like me recognize which one to trust ?!

    Some websites have a purple WOT dot (unknown security), but are perfectly respectable; such evaluation signifies that only a few users have taken the effort to give their opinion.

    Is this another tricks to force customers to update an app or do a server upgrade, only to find out that their other apps are not anymore compatible ? It happened to me: after an update to High Sierra, Power Point destroyed my slides, caused many other unimaginable headaches because my Office suite 2011 becomes incompatible with High Sierra, obsolete, etc.

    Apple lacks respect for its loyal customers.

  12. Joe says:

    I already use Firefox. So that’s good.

  13. Mark Sanderson says:

    As of yet Apple have not release an update to the browser, also it’s fine saying use the latest OS, but what if like my iPad 4 the new OS in not available, I’m I supposed to just toss it in the bin and buy a new one (which is what apple would like)

    They should release a patch for ALL hardware using the venerable chips, yes I mean ALL hardware going back to the 1990s when this fault first crept into the chips.

    • boomer0127 says:

      Mark, no word yet if the Apple/IBM/Motorola PowerPC architecture has these vulnerabilities. Intel said something like 10 years since vulnerability existed, has there been a release as to the exact chipsets that are vulnerable? Apple switched to Intel in 2005?

  14. Bobber says:

    My understanding is that the fixes are in the El Capitan and Sierra updates. However, due to a nondisclosure agreement, they were not documented until now.

    And yes, iCloud is affected because it also uses the same processors. Presumably Apple is making fixes for that as well.

  15. Dun says:

    Is Icloud affected? Are files stored on icloud secure?

  16. Edwin says:

    The Security Update release notes imply that El Capitan and Sierra included the Meltdown patch, but the notes were added later (on Jan 4) which makes me wonder how they could be retro-actively applied to a security update, unless it must be downloaded and installed again?

    https://support.apple.com/en-ca/HT208331

    Anyone have an answer for this?

    Is there any easy way to verify if your Mac OS system release is patched for Meltdown and Spectre?

    Should we re-download Security Update 2017-002 and see if that does the trick?

    Here’s the relevant tidbit added later to the notes on Apple.com, this appears to be for Meltdown and I can not find a note for Spectre (maybe there is cross immunity, I do not know):

    Kernel

    Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6

    Impact: An application may be able to read kernel memory

    Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

    CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

    Anyway, someone smarter than me with security, please do chime in :)

    • Paul says:

      The prior months Security Update patches for El Capitan and Sierra *do not contain* a fix for these problems.

      Apple has updated the page you referenced and removed the 10.12.6 and 10.11.6 references. The updated version now says:

      Kernel

      Available for: macOS High Sierra 10.13.1

      Impact: An application may be able to read kernel memory

      Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

      CVE-2017-5754: Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology GmbH, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology

      Entry updated January 5, 2018

      Note the “Available for:” section has been changed to remove references for El Capitan and Sierra.

      Confusing, undoubtedly. Thus, we await separate security updates for El Capitan and Sierra. Let’s hope they arrive soon.

    • Mike says:

      There has been an industry wide agreed “silence” with regards to what the flaws are until all major affected components (O/S’s, CPU Firmware, Web browsers) were patched.

      The flaws are so severe that needed to be fixed *before* threat actors caught wind of them. Same thing happened in Linux Kernel code, changes were made & have been undocumented until now.

      Unfortunately, it has been impossible to conceal this for long enough as a lot of people started seeing undocumented patches here & there and it became understood that something big is going down.

      Vendors were eventually forced to issue statements with regards to the flaws, sadly before everything could be reliably patched. This is when Apple added the notes you saw.

      You do not need to re download security updates already applied.

  17. apparently says:

    This sounds like the work of government, so the threat is real.

    I expect that those involved are livid with the geeks that discovered these windows.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site