Meltdown and Spectre: Yes, your device is likely vulnerable

UPDATE: All Avast and AVG consumer and business products have been updated to accept the Microsoft patches (see ‘Fixing the Problems’ below).

Details have emerged this week regarding two different—and both substantial—security flaws in almost every computer processor in use today. This affects Windows, Mac, Linux, Android, and iOS. It’s important to note that as of yet, no malware or cyberattack has been associated with these flaws, but now that the information is in the public domain, that could change. Either of the flaws could lead to your computer’s memory being compromised, which means sensitive data—passwords, photos, credit card details—can be accessed and stolen. Here’s a breakdown of the two vulnerabilities:

Meltdown

This flaw affects virtually every Intel-processor based computer, smartphone, tablet, and cloud service. And it is greatly problematic for large cloud-using enterprises like Microsoft and Google. If hackers wanted to exploit this vulnerability, they would rent a virtual server on the shared cloud service, and from there be able to use the flaw to access data from the other cloud users. A patch has been quickly developed to fix this problem, but unfortunately it could slow down your computer; many won’t notice a slowdown but in some specific cases it could be up to 30% slower.

Spectre

While Meltdown is specific to Intel processors, Spectre affects almost every processor on the market. This vulnerability can be exploited to “trick” your system’s safe programs into leaking sensitive data. The safeguards built into these programs are actually making the applications more vulnerable. The flaw here is inherent in the chips’ designs, and can only truly be fixed by redesigning the hardware. This will come, but it will take time. In the meantime, software patches have been, and continue to be, developed to help prevent Spectre attacks.

Fixing the problems

There are several solutions in the works to mitigate the Meltdown and Spectre flaws, including OS updates, browser updates, and firmware updates.

• Microsoft has issued conditional fixes for Windows, offering them only to users whose corresponding antivirus solutions made adjustments to support the patches. Avast was among the first to do so. Users without an antivirus can set the registry key manually to allow the update. Here is a chart detailing the  status of patch support from antivirus providers as of January 5:
  
      Image Source: Kevin Beaumont
      click here to see the latest updated chart

• Linux kernel developers have released three patches, each developed to deal with a specific Meltdown problem. They released a patch called KPTI (aka Kaiser), which was developed to help mitigate the Meltdown flaw.

• Apple has released a statement that it has already released mitigations in iOS 11.2, MacOS 10.13.2, and tvOS 11.2 that will help protect Apple computers, smartphones, and tablets against Meltdown. The company is currently working on mitigations to protect against Spectre, and those will be released in upcoming versions.
  
  
• Chromebooks were updated in December with Chrome 63 which added protection against these vulnerabilities.

• As for browsers, some are already issuing patches. Browsers are important to fix and update since it is easy to write JavaScript to set up the situation to perform an attack. In these types of attacks, cybercriminals can steal passwords and the like. Firefox 57 and the latest versions of Internet Explorer and Edge for Windows 10 have fixes built into the updates. Google announced that Chrome 64 (coming 1/23) will also have a fix. Apple has said that it will release new mitigations in Safari to protect against Spectre in the coming days.  

These software updates are useful, but to successfully mitigate these vulnerabilities, firmware updates are essential, specifically with the Spectre flaw. Intel has released an update already, but if you have a non-Intel based system, contact your hardware manufacturer to see if updates are available yet. Microsoft has issued this firmware update for its Surface users.

Stay updated

We mean that two ways: keep your eyes on the Avast Blog for updates to this story, and also keep all of your devices updated. That means you need to update and use the latest releases (which will include the latest patches and fixes when available) on all of your devices (computers, smartphones, tablets) for these items:

• OS
• Firmware on your hardware
• Browser
• Applications

The news on these security flaws is still developing. Stay informed and, as always, stay protected.