What happened?

Details emerged yesterday about two major security flaws in the processors used in most computers and phones, and many technology companies are scrambling to issue fixes for their customers. The two vulnerabilities, known as Meltdown and Spectre, affect the vast majority of computing devices made since the 1990s, with Meltdown impacting devices that utilize Intel processors, and Spectre more broadly affecting machines using chips made by Intel, AMD, and ARM Holdings.

Meltdown and Spectre -- discovered by folks working at Google's Project Zero in conjunction with researchers from several countries -- allow attackers to compromise people's computers by exploiting mistakes in the way that processors handle the memory used by multiple processes running at the same time. The bugs potentially allow a criminal to access memory containing passwords or other private information, as well as to capture users' keystrokes and mouse/tap input. Anyone accessing any website that uses JavaScript (i.e., pretty much everyone) could be at risk of attack if a website being accessed has been compromised and exploit code loaded onto it.

In an interview with Reuters, Daniel Gruss, one of the researchers who discovered Meltdown, described the bug as "probably one of the worst CPU bugs ever found."

How should you protect yourself?

Sadly, the answer is somewhat complicated:

For various technical reasons, Spectre is a difficult flaw to fix, and, to be blunt, we will likely be suffering from its vulnerability for quite some time. It is unlikely that software providers will be able to provide fixes -- so we must hope that the hardware firms find a way to address it. The good news, however, is that Spectre appears to be an extremely difficult vulnerability to exploit.

As for Meltdown, Microsoft and Apple have issued operating system patches -- so make sure to keep your devices up to date. Some users of third-party antivirus software may not automatically receive the Microsoft patch. Also, Microsoft and Mozilla have issued patches for their web browsers -- to defend against exploitation via browsing -- so make sure that you have the latest version of your browser (which most people will have via auto-update). While Google has issued fixes for Android, it has not yet fully fixed its Chrome browser -- so, if you use Chrome, you should enable the browser's Site Isolation feature which keeps the websites on different browser tabs into separate spaces in memory .

Adding to the mix, however, is a monkey wrench: Some folks claim that installing the patches slows down computers using Intel chips by as much as 30 percent.

Eventually, there will likely also be BIOS updates available as downloads, and updates for smartphones and tablets -- these should be installed as well.

Here is the bottom line: We will likely be living with some vulnerability for some time. But you can still protect yourself as much as possible by keeping your devices up to date -- which is advice that should have been followed before the present bug discovery, and should be followed afterward, as well.

Published on: Jan 4, 2018
Like this column? Sign up to subscribe to email alerts and you'll never miss a post.