Defend Against 'Meltdown' and 'Spectre'

How to Defend Against 'Meltdown' and 'Spectre' Security Flaws

This nightmare pair of exploits will be haunting us for years, but there are a few things you can do right now.

MELTDOWN AND SPECTRE

By Eric Limer

Yesterday, we found out about a wide-reaching security exploit that affects a decade's-worth of computer processors. As the details dribbled out, it became clear there two distinct but related exploits "Meltdown" and "Spectre," and while the lingering effects will likely haunt us for years, there are a few things you can do to protect yourself right now.


Both Meltdown and Spectre exploit a feature of computer processors called "speculative execution." This is when a CPU performs an action before it necessarily knows if it needs to be done, a key method in letting it do its job as fast as possible. Meltdown and Spectre, however, are ways this method can be exploited to let hackers run code without proper permission and potentially see anything your computer is doing.

Meltdown exploits features of Intel's x86-64 processors specifically (the kind of processor you almost undoubtedly have), and can be protected against with operating system-level security updates that are rolling out now. Spectre represents a broader range of more complex and sophisticated attacks that could work on virtually all processors and may be impossible to completely protect against in software alone.

What you can do right now

Meltdown will require an update to your operating system in order to protect your whole computer. Microsoft has started pushing out emergency updates through its Windows Update system. Windows 10 updates should be available immediately, with Windows 7 and 8 updates following next week. Apple, for its part, has yet to comment on a fix for macOS.

In the meantime, you can shore up the most likely point of attack by ensuring your web browser is not vulnerable. Both vulnerabilities can be exploited through Javascript, so short of downloading compromised apps, malicious websites are likely the biggest immediate threat.

SECURE YOUR BROWSER

Google Chrome 64, which is coming on January 23rd, will have updates to help protect against these exploits, but fortunately Chrome already has a feature called "Site Isolation" that can help, though it is disabled by default and will negatively affect performance. To turn it on, type chrome://flags/#enable-site-per-process into your Chrome browser bar and select the box next to "Strict site isolation." You can find the same feature in chrome://flags on Android, but the fix does not work on iOS.

Firefox versions 57 and up have also implemented a quick fix by reducing the ability of websites to gain access to the precise timing details that would be required to execute an attack.

Apple has yet to issue a statement about its Safari browser, so the best immediate step you can take is to make sure that you are using a secure version of Chrome or Firefox until an OS-level update comes out for your system. If you are running the latest, emergency-updated version of Windows 10, for example, you should be in the clear. But most importantly, make sure all of your software—operating systems and browsers specifically—are up to date at all times. It's good security hygiene in general, but all the more important with this new world of exploits in the wild.