- Mozilla confirms web-based execution vector for Meltdown and Spectre attacks: “Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins,” said Luke Wagner, a software engineer with the Mozilla Foundation.
- Mozilla released Firefox 54.0.7 which includes security updates to combat Meltdown and Spectre – additional details here: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
- Apple issued confirmation that mitigations are available in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple also updated security support document which has information for macOS Sierra and OS X El Capitan but it’s less clear if those OSs have fixes ready now or will soon.
- Google updates Chrome Site Isolation config change with additional information regarding browser performance impact on memory usage, dev console features and printing
- Microsoft issued out of band update for Windows 10 – more details here: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
Despite financial news headlines downplaying the impact, Google Project Zero disclosed vulnerabilities that impact all major CPU, including AMD, ARM and Intel – threatening almost all PCs, laptops, tablets and smartphones regardless of manufacturer or operating system.
I have been reading about these in some depth but will not dive into any technical details because not really my field of study or expertise.
This post is about what you can do, now/today and what you should do and look for going forward.
Operating System Updates
Many vendors have security patches available for one or both of these attacks but it’s unclear if they address them fully – here’s the latest info:
- Windows – Microsoft has an update for Windows 10 available now, other versions of Windows will have a patch on January 9, 2018
- MacOS – Apple’s macOS High Sierra 10.13.2 update last month fixed most of the holes, but MacOS 10.13.3 will enhance or complete these mitigations.
- Android – Google released patches for Pixel/Nexus in the January security update. Other users have to wait for their device manufacturers to release a compatible security update.
- Linux – kernel developers have released patches by implementing kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space (or security domain).
- Copy chrome://flags/#enable-site-per-process
- Paste it into the URL field at the top of your Chrome web browser and hit the Enter key.
- Look for “Strict Site Isolation”, then click the box labeled “Enable”.
- Once done, hit Relaunch Now to relaunch your Chrome browser.
More About the Attacks
Meltdown allows attackers to read not only the kernel memory but also the entire physical memory of the target machines, therefore all secrets of other programs and the operating system itself.
It breaks the isolation between user applications and the operating system allowing any application to access all system memory including memory allocated for the kernel.
Spectre also breaks the isolation between different applications allowing a malicious program to trick error-free programs into leaking their secrets by forcing them to access arbitrary portions of it’s memory which can be read through a side channel.
Even more info can be found here: https://meltdownattack.com/