Although most of the news sites initially reported the Meltdown and Spectre security flaws as present in an Intel processor, it is now known to affect other processors like AMD and ARM as well. That means all devices using these processors like PCs, MacBooks, servers, Android and iOS devices are affected.
What are the Spectre and Meltdown security flaws?
These are security holes introduced by two different optimization techniques used by the processors namely: Speculative Execution and Out-of-order execution.
The technique used to exploit Speculative Execution is called Spectre and has two variations. One that takes advantage of the bounds checks bypass and the other that exploits the capability to do branch target injection by altering the branch target buffer to execute the rogue process.
The technique use to exploit the out-of-order execution performance feature is called Meltdown. This enables a rogue process to read memory of another process or virtual machine in the cloud without permission or privileges.
How to protect yourselves?
Most of the tech industry giants have responded quick. Google in particular developed a mitigation technique to protect against Spectre and shared it with other partners.
The Android 2018-01-05 Security Patch Level(SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017
OS versions prior to 63 are not patched. Chrome OS systems started receiving version 63 on 12/15/2017.
Go to the Google FAQ for steps to take on Google cloud and other Google products.
After being vocal in his criticism of Intel’s responses to the problems, Linus Torvalds released the first new Linux kernel of 2018 on Jan. 28, after the longest development cycle for a new Linux kernel in seven years. Linux 4.15 was released with improved Meltdown, Spectre Patches. Read the release announcement from Linus Torvalds here.
Microsoft Windows 10
After Intel’s Buggy fix to Spectre, Microsoft has issued a patch to fix this.
Microsoft has announced more security updates for Windows 10 devices in its March Patch Tuesday. These can be found here. They have also lifted the AV compatibility check put in earlier on Anti Virus software that made calls to the kernel memory.
Apple Devices: MacBook, iPhone, iPad, Apple TV
Firefox 57.0.4 released on Jan 4, 2018 includes the two mitigations
Microsoft Edge: Microsoft has released an update to Windows Client to fix the vulnerability on Edge(KB4056890). Check details.
Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.
Safari Apple has released new security updates aimed at protecting Safari and WebKit from the Spectre attack. Check details here.
Amazon Web Services(AWS) team put out a security bulletin on Jan 03, 2018 with instructions for customers to follow on protecting their servers against the vulnerability.
These are only the first set of software mitigations. With increasing pressure, Intel admitted that these updates do not totally eliminate the risks. They are now implementing hardware mitigations directly into their chips.