Last week, the technology world was shaken by the announcement of two flaws that reach deeply into modern computer architecture and affect just about every operating system and device in use now.
The two flaws, named Meltdown and Spectre, are both caused by the way the hardware processor interacts with the operating system on every device. The flaws give specially crafted applications the ability to read data from the computer that is supposed to be protected. It’s important to note that the flaws themselves don’t allow anyone to make changes to a device or the data on it, but the information taken by malware that exploits them can be used for further intrusions, data theft, and possible damage.
Just about any device that uses an Intel, AMD, or ARM processor. This includes but is not limited to:
All computers and devices running Windows, all Macs, all iOS devices (iPhone, iPad), all Android devices, all server-class computers (regardless of what OS they’re running).
So far no known malware takes advantage of the vulnerability. This will change soon.
How to fix it
Microsoft has released security patches for every supported OS version, and they are available through Windows Update. See Antivirus section below before trying to apply them! If you have a server that isn’t running Antivirus, you’ll need to download and install the patch manually.
Microsoft’s Security Advisory with links to their patches: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
VMWare is only affected by Spectre, and has released patches for ESXi 5.5 and above. Here’s their security advisory with links to the patches:
Apple patched this already with a Mid-December update for their most current operating systems (macOS 10.13, iOS 11).
Google has released updates for most of their platforms, though some of that depends on the cell carriers forwarding the updates to their devices: https://support.google.com/faqs/answer/7622138
The Microsoft patches make a change to a Registry key that, if the OS is running an Antivirus package that isn’t updated to adapt to the change, could blue screen the OS on startup. AV vendors have been releasing patches and these will need to be applied before the Microsoft patches will show up in Windows Update.
Here is a tracking list of major Antivirus vendors and their current patch status:
Until all the patches are in place (Antivirus, then Operating System), be extra careful on the Internet. We will most likely start to see email phishing attempts that direct people to websites crafted to take advantage of this flaw, and an increase in compromised ads on web pages. At this point, everyone should know not to click on links in unexpected emails (from both unknown and known people) or strange website popups, but it will be especially important from now on.