Meltdown and Spectre are two hardware bugs that potentially affect the overwhelming majority of computing devices.   Given how most of us use so many computers, mobile devices, and connected hardware, pretty much everyone is at risk.

These vulnerabilities are similar, yet work differently.  But what is of the greatest concern is how they can be used to bypass security and encryption to directly read data from the processors in your machines.

Am I affected by the bug?

Most certainly, yes.

The video below is a startling demonstration of how dangerous this can be.  Before you watch it, understand the background.   This is an actual demo of how Meltdown works.  Pay close attention to the white text on the right side of the screen in the video.   That’s actual data, bypassing any security or encryption.  Passwords, credit card numbers…nothing is safe!

 

What Should You Do About Meltdown and Spectre?

Intel Stock

Intel Stock reacted strongly to news of Meltdown and Spectre.

We rate this as a HIGH IMPACT, MEDIUM RISK vulnerability.   Clearly the impact of this could be devastating on businesses and consumers.   To be objective, no one knows if Meltdown and Spectre have been exploited in the real world.   Since there are no indications of actual attacks, some experts are classifying this as a low risk.  However, these vulnerabilities have generated a lot of press and shares of Intel have lost over $11 billion in value.   All this publicity has no doubt prompted interest in the hacking community to find profitable exploits.

United States Computer Emergency Readiness TeamIn view of this, we’re are rating this as a medium risk and are recommending that our clients follow the direction of the Department of Homeland Security US-CERTMicrosoft, Google, and other vendors.   This basically involves immediate action to:

  1. Update ALL operating systems.
  2. Update ALL browsers.
  3. Update ALL firmware.

We have already been contacting clients that are most at risk and will be issuing a newsletter with additional specifics.  If you’re not already a subscriber, consider signing up at: http://t2d.la/signup

Remember, WE HATE SPAM.

 

Learn About Meltdown and Spectre

There’s a lot of technical and general press about this major vulnerability.  One of the best explanations for non-technical people (as in most of those affected) can be found in this article:

Nearly Every Computer Made Since 1995 Is Dangerously Flawed. Here’s What You Need to Know.

http://nymag.com/selectall/2018/01/intel-chip-security-flaw-meltdown-spectre-what-to-know-explainer.html

Short URL: http://t2d.la/a032

 

One-Minute BBC Video

And here’s a one-minute video.  It’s not as explanatory as the article above, but it is a very brief, yet useful overview:


The full article can be found at:

http://www.bbc.com/news/technology-42564461

Short URL: http://t2d.la/a033

 

Need Help?

Click the Help Button below if you need help:

Help Button

Click for Help!

Need to make sure your computers and devices are updated?  Schedule an appointment now:

 

Additional Resources

Official Meltdown and Spectre Site

by Graz University of Technology

https://meltdownattack.com/

 

Vulnerability Note VU#584653
CPU hardware vulnerable to side-channel attacks

CERT Vulnerability Notes Database.  With technical information and links to official vendor statements.

https://www.kb.cert.org/vuls/id/584653

 

 

ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

Microsoft Security Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

 

Today’s CPU vulnerability: what you need to know

The Google Security Blog post that initially disclosed the vulnerabilities to the public.

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

 

About speculative execution vulnerabilities in ARM-based and Intel CPUs

Apple’s Official Statement

https://support.apple.com/en-us/HT208394

 

 

Mitigations landing for new class of timing attack

Mozilla Firefox Security Blog

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

 

 

 

 

 

Online Threat Meltdown and Spectre