A massive security flaw in Intel processors was revealed by The Register on January 2, 2018, which some speculators suggest could be the biggest of the century.
3/22/18 CHROME OS UPDATE:
On March 22, 2018 Google rolled out substantial new protections for Chrome OS devices, as part of the Chrome OS 65 update.These protections come in the form of a KPTI mitigation against Meltdown, which protect a large number of Intel-based Chromebooks and devices which were not addressed in previous patches rolled out in response to the threat, as well as Retpoline mitigation, to protect against Spectre.
To ensure your Chromebook has received the update:
- Navigate to your Status Tray, and open “Settings”
- In the left side pop-out options, scroll down and click on “About Chrome OS”
- Your Chrome OS version will be displayed near the top of the page.
- If it is not version 65 or above, click “CHECK FOR UPDATES”, to prompt installation, and follow the steps provided there.
You can stay up-to-date on the status of Chrome OS protection, and inspect a complete list of devices now protected at Chromium’s Meltdown/Spectre Vulnerability Status Page, which also lists older devices which will receive protection with the release of Chrome OS 66 update on April 24.
The internal design flaw, named “Meltdown” by Google, affects many PC and Mac computers built with Intel hardware, can allow malicious programs (including Javascript in web browsers) to access protected areas of your computer’s memory, and can lead to the loss of sensitive items like passwords.
A similar flaw, known as “Spectre”, has also been revealed to be affecting non-Intel-based devices, but less is known about Spectre at this time, and security experts suggest that it poses less of a threat at this time.
Patches are already being rolled out to fix “Meltdown” affected devices, but the patch process results in slower performance for some users. If you’re worried about the immediate security of your device, go here and follow our recommended steps.
This post will be updated as soon as new information about fixes and solutions becomes available.
So why is this making headlines if there’s already a fix on the way? Because it is a fundamental hardware design flaw which is baked into almost every Intel processor on the market, going back years. Meaning that situation affects a massive swathe of users, and the only “simple” fix results in poor performance for those devices. To put it plainly, Intel has a monster case of backpedaling to do.
What is the impact of these security flaws?
These vulnerabilities have not been fully revealed to the public yet, but attackers privy to the details of Meltdown will be able to target Intel-based devices with something as simple as a malicious webpage.
As stated earlier, Intel is deploying patches to correct for the Meltdown exploit, but the patching of these devices comes with the result of slower-performance—as much as 5-30% slower, depending on how those devices are used. According to Gizmodo, Enterprise-scale systems will be the most affected, in terms of performance. You can read more about the impact of the patch here.
Who is affected by these security flaws?
Intel has been slow to release specifics, but it’s estimated that Meltdown affects all Intel x86 CPUs produced over the past 10 years. This means that PCs, Macs, and Linux devices all run a high chance of being affected, provided they’re running on Intel CPUs.
The Spectre flaw is less clear-cut in terms of impact and scope, but according to Google’s research team, “Spectre affects almost all modern processors – including those from AMD, ARM, and Intel.” It appears, however, that Spectre is still relatively “under-wraps”, and there is no evidence that hackers have exploited it to date. Those considerations, combined with the complexity of the exploit, has researchers regarding Spectre as less of an immediate threat, but hopefully we will see fixes rolled out soon.
You can read more about the differences between Meltdown and Spectre, in this article from Wired.
What should I do next?
If you use an Intel-based device, perform a system update as soon as it becomes available.
Fixes are being rolled out for Linux and Mac devices as we speak (if you’re running either, and updated your system in the last 24 hours, chances are you’re already patched). An emergency Windows 10 update was released on 1/3/2018. Google and Android devices are also protected, under new updates that have rolled out in the past week.
Whether you’re patched or not, we highly recommend the following steps as well:
- Ensure your security software (antivirus, malware) is up-to-date.
- Use a safe, up-to-date web browser like Chrome.
Keep your business protected by making sure OS updates occur regularly, and assign individuals to manage that process.
We’ve found that as many businesses grow and acquire more devices, they tend to let devices lapse on system updates, which leads to infections, data loss, and expensive device replacement and cleaning.
If you’d like a partner to help prevent those costs, by managing your updates and watching out for threats, contact us today.
Intel is currently in a cautious position, to protect themselves as well as users. This makes it difficult to pin down the exact scale of Meltdown, and they have not yet revealed a long-term fix to circumvent the performance issues that come with patched devices, but we look forward to seeing the solutions that follow, as the story continues to break.