We use cookies and similar technologies to recognize your repeat visits and preferences, to measure the effectiveness of campaigns, and improve our websites. For settings and more information about cookies, view our Cookie Policy. By clicking “I accept” on this banner or using our site, you consent to the use of cookies.

I Accept
Visit avast.com
English
Search Menu
Close
Sections
Threat Research

Meltdown and Spectre: Yes, your device is likely vulnerable

Threat Intelligence Team, 5 January 2018

“Meltdown” and “Spectre” are major vulnerabilities affecting almost every computer in the world.

UPDATE: All Avast and AVG consumer and business products have been updated to accept the Microsoft patches (see ‘Fixing the Problems’ below).

Details have emerged this week regarding two different—and both substantial—security flaws in almost every computer processor in use today. This affects Windows, Mac, Linux, Android, and iOS. It’s important to note that as of yet, no malware or cyberattack has been associated with these flaws, but now that the information is in the public domain, that could change. Either of the flaws could lead to your computer’s memory being compromised, which means sensitive data—passwords, photos, credit card details—can be accessed and stolen. Here’s a breakdown of the two vulnerabilities:

Meltdown

This flaw affects virtually every Intel-processor based computer, smartphone, tablet, and cloud service. And it is greatly problematic for large cloud-using enterprises like Microsoft and Google. If hackers wanted to exploit this vulnerability, they would rent a virtual server on the shared cloud service, and from there be able to use the flaw to access data from the other cloud users. A patch has been quickly developed to fix this problem, but unfortunately it could slow down your computer; many won’t notice a slowdown but in some specific cases it could be up to 30% slower.

Spectre

While Meltdown is specific to Intel processors, Spectre affects almost every processor on the market. This vulnerability can be exploited to “trick” your system’s safe programs into leaking sensitive data. The safeguards built into these programs are actually making the applications more vulnerable. The flaw here is inherent in the chips’ designs, and can only truly be fixed by redesigning the hardware. This will come, but it will take time. In the meantime, software patches have been, and continue to be, developed to help prevent Spectre attacks.

Fixing the problems

There are several solutions in the works to mitigate the Meltdown and Spectre flaws, including OS updates, browser updates, and firmware updates.


  • Microsoft has issued conditional fixes for Windows, offering them only to users whose corresponding antivirus solutions made adjustments to support the patches. Avast was among the first to do so. Users without an antivirus can set the registry key manually to allow the update. Here is a chart detailing the  status of patch support from antivirus providers as of January 5:

    Avast_blog_meltdown_and_spectre_antivirus_sets_registry_key_chart.png    Image Source: Kevin Beaumont
        click here to see the latest updated chart


  • Apple has released a statement that it has already released mitigations in iOS 11.2, MacOS 10.13.2, and tvOS 11.2 that will help protect Apple computers, smartphones, and tablets against Meltdown. The company is currently working on mitigations to protect against Spectre, and those will be released in upcoming versions.

  • Chromebooks were updated in December with Chrome 63 which added protection against these vulnerabilities.

  • As for browsers, some are already issuing patches. Browsers are important to fix and update since it is easy to write JavaScript to set up the situation to perform an attack. In these types of attacks, cybercriminals can steal passwords and the like. Firefox 57 and the latest versions of Internet Explorer and Edge for Windows 10 have fixes built into the updates. Google announced that Chrome 64 (coming 1/23) will also have a fix. Apple has said that it will release new mitigations in Safari to protect against Spectre in the coming days.  

These software updates are useful, but to successfully mitigate these vulnerabilities, firmware updates are essential, specifically with the Spectre flaw. Intel has released an update already, but if you have a non-Intel based system, contact your hardware manufacturer to see if updates are available yet. Microsoft has issued this firmware update for its Surface users.

Stay updated

We mean that two ways: keep your eyes on the Avast Blog for updates to this story, and also keep all of your devices updated. That means you need to update and use the latest releases (which will include the latest patches and fixes when available) on all of your devices (computers, smartphones, tablets) for these items:

  • OS
  • Firmware on your hardware
  • Browser
  • Applications

The news on these security flaws is still developing. Stay informed and, as always, stay protected.

Related articles

Threat Research

Spectre continues: Did we all trade speed for security? | Avast

Why patching especially matters in a post Meltdown and Spectre world.

24 May 2018 min read
Threat Research

Hacking iLO — take a moment to secure your servers | Avast

Ransomware attacks are as common as they are easy to produce. And we all must play a role in stopping them.

16 May 2018 min read
Threat Research

Botception with Necurs: Botnet distributes script with bot capabilities | Avast Threat Labs

VBScript allows threat actors to steal personal data and make victims vulnerable to keyloggers, banking malware, and ransomware

4 May 2018 min read

Follow us

1988 - 2018 Copyright © Avast Software s.r.o. | Sitemap Privacy policy