Meltdown and Spectre are going after your private information.
There are two vulnerabilities that were recently brought to light. The essence of these attacks is that they can establish processes that can read the supposedly secure data from other processes.
Suppose you are logged in to your bank via the web. There is data there about account numbers, balances, passwords etc. Some of that will be encrypted. However, the exploit MIGHT be able to view the unencrypted data. After all, your balance and account numbers need to be displayed in a format you can read.
The first exploit, called Meltdown, seems to affect unpatched systems. When I was doing more hardware/software consulting, I was constantly frustrated by clients or their ‘advisors’ who didn’t see the need for patching/updating their operating systems and software.
A simple precaution is to simply make sure that your operating system and software has the latest updates.
This affects the current versions of Chrome. Supposedly Google is releasing Chrome 64 which will address the issue but that will not be until January 23, 2018. In the meantime, they offer an experimental tool that should allow for isolation.
You can enable an experimental tool to isolate sites and applications in chrome.
1. Determine what version you are running. go to the menu at the top right of chrome. Choose Help, and then About Google Chrome.
If you decide that you want to enable strict site isolation, enter chrome://flags/#enable-site-per-process in the chrome URL bar. That will bring up a list of experimental chrome tools. You can enable strict site isolation there.
|Enable Strict Site Isolation in Chrome|
The question is, do you enable the strict site isolation now or wait until the January 23rd release of version 64 of Chrome? The fix for Spectre seems to cause issues on mobile devices. Also, I haven’t had a chance to test it with the sites I need on a daily basis. There is a possibility of issues when accessing sites you need.
Note that this exploit has the potential to affect a wide range of devices including phones, Linux machines, Apple based devices and more.
In short both exploits expose serious vulnerabilities.
For more reading:
- Mashables article
- Gratz University description of the vulnerability
- Google’s Mitigations Against CPU Speculative Execution Attack Method
Note – until things settle down the Meltdown tag will give all related posts (as of Jan 2018)
- Meltdown and Spectre – You might NOT have to replace all of your hardware.
- A Windows 10 patch that is supposed to address Meltdown and Spectre vulnerabilities. BEWARE IF YOU HAVE AN AMD PROCESSOR
- KB4056892, the Windows 10 patch to address Meltdown/Spectre installed on my laptop – Performance results are…
- Cert links to guidance from manufacturers affected by Meltdown and Spectre
- With Meltdown and Spectre what happens to pending server purchases and how will companies address the performance issues of patches?
- Meltdown and Spectre – Intel CEO reportedly sold over three quarter of a million shares AFTER learning of the vulnerabilities.
- Malwarebytes free anti Exploit – Protection against Zero Day Flash/Java/other exploits
- WordPress Captcha plugin has a backdoor.