Reply
Honored Contributor
Posts: 14,209
Registered: ‎07-26-2014

🖥 Meltdown & Spectre Security Flaws📱 **WARNING-info overload*

[ Edited ]

How to Protect Against Meltdown & Spectre Security Flaws

 

Two major security flaws have been found in modern computer processors, potentially impacting nearly all modern computers in the world.

All Macs and iOS devices along with most Windows PC and Android devices are potentially susceptible to the critical security flaws, named Meltdown and Spectre.
Theoretically, the vulnerabilities could be used to gain unauthorized access to data, passwords, files, and other personal information on any impacted computer or device

What are Meltdown and Spectre?
The vulnerabilities are described by security researchers as follows:
“Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”
Having security flaws that potentially impact nearly every computer and smart phone on the planet is obviously fairly major news, and you can read more about it here, here, or here if you’re interested.
        
Apple has acknowledged the problem with an Apple Support *article, which cautions the following:
“All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.”
So what should you do? And how should you defend or protect against these security vulnerabilities?

How to Defend Against Meltdown and Spectre
The easiest way to avoid potential security trouble with Meltdown or Spectre vulnerabilities is to take a multi-prong approach to computer and device security:
    •    Avoid untrusted software, and never download anything from untrusted sources
    •    Use an updated web browser that contains relevant patches for these security flaws
    •    Install relevant security updates and/or system software updates when they become available for your device or computer
By the way, those are good general computer security tips to practice… even after the threat of Meltdown and Spectre passes thanks to software updates. Let’s detail a bit further:

1: Avoid Sketchy Websites and Dubious Downloads
Do not download untrusted software or anything from an untrusted source, ever. Not downloading sketchy software from sketchy sources is good computing advice in general, not only to protect against Meltdown and Spectre, but also to prevent other potential malware and junkware from ending up on your computer.
Never accept an unsolicited download. Never install software that you did not specifically seek out to install. Always download and get software from trusted websites and sources, whether it’s the software developer, the vendor, or a place like the App Store.

2: Update Your Web Browsers
Another potential attack vector comes from web browsers. Fortunately, major web browsers have been (or will be) updated to ward off potential problems:
    •    Firefox version 57 and later are apparently patched
    •    Google Chrome will apparently be patched on January 24 with version 64 or later
    •    Safari will apparently be patched in the near future for Mac, iPhone, and iPad
For Windows users, Microsoft Windows 10 and the Edge browser have been patched, and updates for other versions of Windows are due out as well. Tthe latest versions of Android have apparently been patched by Google as well.
If you’re concerned about using an un-patched web browser in the meantime, you could shift to a patched browser for the interim period until the primary browser gets repaired. For example, you could download and use Firefox 57 (or later) for a few days until Safari or Chrome gets updated.

3: Install Security Updates and/or Software Updates When Available
You will want to be sure to install relevant security updates when they become available for your devices and computers.
Another option is to update operating system software to major new release versions. Apple says they have already released mitigations for Mac, iPhone, iPad, iPod touch, and Apple TV running the following system software or newer:
    •    iOS 11.2 or later for iPhone, iPad, iPod touch
    •    macOS 10.13.2 High Sierra or later for Macs
    •    tvOS 11.2 or later for Apple TV
It remains to be seen if Apple will issue independent security update patches for prior versions of Mac OS system software, but in the past Apple has often done this with the prior two system software releases. Hopefully macOS Sierra 10.12.6 and Mac OS X El Capitan 10.11.6 will receive separate future security software updates to protect against Meltdown and Spectre, since not all Mac users can or want to update to macOS High Sierra.
Apple Watch and watchOS are apparently not impacted.
TLDR: Significant security vulnerabilities have been discovered on basically all modern computers. Keep an eye on the Software Update mechanism of your Mac, iPhone, iPad, other computers and smartphones, update your apps and web browsers, and install security updates when they become available.

**Article link I cannot  post because of "links".  Google the "title" will take you to the OXDaily article link.**

 

==============

 

*Full Apple Knowledge Base Article:

 

About speculative execution vulnerabilities in ARM-based and Intel CPUs

  

Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

 
Background
The Meltdown and Spectre issues take advantage of a modern CPU performance feature called speculative execution. Speculative execution improves speed by operating on multiple instructions at once—possibly in a different order than when they entered the CPU. To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed. If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software.

The Meltdown and Spectre exploitation techniques abuse speculative execution to access privileged memory—including that of the kernel—from a less-privileged user process such as a malicious app running on a device.

 
Meltdown

Meltdown is a name given to an exploitation technique known as CVE-2017-5754 or "rogue data cache load." The Meltdown technique can enable a user process to read kernel memory. Our analysis suggests that it has the most potential to be exploited. Apple released mitigations for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS did not require mitigation. Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

 
Spectre

Spectre is a name covering two different exploitation techniques known as CVE-2017-5753 or "bounds check bypass," and CVE-2017-5715 or "branch target injection." These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.

Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS. 

 

 

**Unable to  post Article because of links on Article page.  Use Google to locate Article by title**

 

"Never argue with a fool. Onlookers may not be able to tell the difference."


220-AuCC-US-CRM-Header-Update.gif

Trusted Contributor
Posts: 1,655
Registered: ‎11-12-2016

Re: 🖥 Meltdown & Spectre Security Flaws📱

My brain is on "meltdown" after reading this...........

Honored Contributor
Posts: 14,209
Registered: ‎07-26-2014

Re: 🖥 Meltdown & Spectre Security Flaws📱

@Roxxyhaha.gif

 

Glad I wasn't the only one!

"Never argue with a fool. Onlookers may not be able to tell the difference."


220-AuCC-US-CRM-Header-Update.gif

Honored Contributor
Posts: 9,617
Registered: ‎03-09-2010

Re: 🖥 Meltdown & Spectre Security Flaws📱 **WARNING-info overload*

I think I'm ready to go back to pencil and paper!

Esteemed Contributor
Posts: 6,372
Registered: ‎03-09-2010

Re: 🖥 Meltdown & Spectre Security Flaws📱 **WARNING-info overload*

In addition to the precautions in the OP if you are running Windows or Linux this link to Intel contains a detection tool to check if your system is vulnerable.

 

https://downloadcenter.intel.com/download/27150

The more I learn the more I realize how little I know.
Are you setting an example or being an example?
Trusted Contributor
Posts: 1,493
Registered: ‎12-31-2012

Re: 🖥 Meltdown & Spectre Security Flaws📱 **WARNING-info overload*

Don’t open link.  It contains malware thst will infect your digital device.

Esteemed Contributor
Posts: 6,372
Registered: ‎03-09-2010

Re: 🖥 Meltdown & Spectre Security Flaws📱 **WARNING-info overload*


@IMFat wrote:

Don’t open link.  It contains malware thst will infect your digital device.


If you are referring to the link in my post you are wrong.  The link is safe and comes from Intel and goes directly to the Intel detection tool article.

 

Anyone preferring a less direct way to get to the detection tool can go to theverge.com and read the article titled How to protect your PC against the major ‘Meltdown’ CPU security flaw or go to intel.com and dig for it.

The more I learn the more I realize how little I know.
Are you setting an example or being an example?