Thoughts, information and reflections about technology

Meltdown and Spectre are going after your private information.

There are two vulnerabilities that were recently brought to light. The essence of these attacks is that they can establish processes that can read the supposedly secure data from other processes.

Suppose you are logged in to your bank via the web. There is data there about account numbers, balances, passwords etc. Some of that will be encrypted. However, the exploit MIGHT be able to view the unencrypted data. After all, your balance and account numbers need to be displayed in a format you can read.

Meltdown

The first exploit, called Meltdown, seems to affect unpatched systems. When I was doing more hardware/software consulting, I was constantly frustrated by clients or their ‘advisors’ who didn’t see the need for patching/updating their operating systems and software.

A simple precaution is to simply make sure that your operating system and software has the latest updates.

Spectre

This affects the current versions of Chrome. Supposedly Google is releasing Chrome 64 which will address the issue but that will not be until January 23, 2018. In the meantime, they offer an experimental tool that should allow for isolation.

You can enable an experimental tool to isolate sites and applications in chrome.

1. Determine what version you are running. go to the menu at the top right of chrome. Choose Help, and then About Google Chrome.

 

Chrome about
Chrome about
You should see the version. In this case, it is Chrome 63. Unfortunately the fact that we are looking for version 64 is a little confusing. It does NOT refer to the 64 bit version.

 

Chrome version
Chrome version

If you decide that you want to enable strict site isolation, enter chrome://flags/#enable-site-per-process in the chrome URL bar. That will bring up a list of experimental chrome tools. You can enable strict site isolation there. 

Enable Strict Site Isolation in Chrome
Enable Strict Site Isolation in Chrome

The question is, do you enable the strict site isolation now or wait until the January 23rd release of version 64 of Chrome? The fix for Spectre seems to cause issues on mobile devices. Also, I haven’t had a chance to test it with the sites I need on a daily basis. There is a possibility of issues when accessing sites you need.

Note that this exploit has the potential to affect a wide range of devices including phones, Linux machines, Apple based devices and more.

In short both exploits expose serious vulnerabilities.

For more reading:

 

————————————————————————-

 


Note – until things settle down the Meltdown tag will give all related posts (as of Jan 2018)

 

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact me
Archives
Categories
Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.