Meltdown and Spectre what they mean to you
If you’ve not heard, two major computer vulnerabilities, Meltdown and Spectre were disclosed in early January. These are not trivial vulnerabilities, they will affect the microprocessor on almost every type of computing device in use today. Because the vulnerability is in the chip itself a simple fix is not possible. [Read an overview here]
In the interim, workarounds are being developed for many operating systems using the affected chips (i.e., Windows, Linux, iOS.)
Let’s provide a little background. Processing in a computer occurs at three levels:
- microprocessor (the computer chip)
We’ve come to rely on the integrity of the code burned into these microprocessors and firmware and we’ve had no reason to believe they could be compromised. You can’t patch a microprocessor; the only option is to replace them. “Containing” the flaws requires patches to operating systems, software and firmware.
Chip makers need to fabricate new processors to replace existing microprocessors.
How do we combat the problem
The only solution is mitigation; do as much as possible to minimize the impact of a potential attack. Since we can’t correct the microprocessor we need to contain the attack at the next levels; either through a firmware or software patch.
Computer manufacturers develop the firmware for their computers. They’re making patches to their firmware available to the public. You will need to go to their websites to install the firmware patches they’ve developed.
They’re also making patches to any other potential firmware they shipped on their computers.
If you’ve installed a third-party piece of hardware you should also check that manufacturer to be sure they’ve addressed any potential vulnerability.
Software falls into a number of categories
The operating system of every computer is software. They are the most vulnerable part of your computer. Microsoft, Apple, Google if they have not already done so will be releasing patches to their operating system. Patches will be automatically installed if auto-update is enabled; however, for many Linux systems, a more proactive approach needs to be taken.
Drivers exist on all computers to provide instructions peripherals used to communicate with us. Check the computer manufacturer website for driver updates.
Application patches are being issued. FireFox, Microsoft Edge, Safari, and Google Chrome are examples. you need to monitor the vendor sites for availability.
Internet Service Providers (ISP) have the toughest time; running both physical and virtual servers means they have a lot of patching to perform. They will have to replace older hardware.
I was told by a local ISP that they’ve been working since the first of the month to address the problem but due to the availability of patches and hardware constraints, they don’t expect to be completely secure for a couple of months.
You can expect the hosting providers taking the computers and web services off-line periodically to apply patches and replace server hardware.
What’s your plan to address this problem, Do you have one? Replacing the flawed chips is the only way to completely solve the problem. To reduce our risk, mitigation is currently the only option.