Meltdown and Spectre Explained

Ben Greiner -

Meltdown and Spectre Explained

Computer researchers have recently discovered the main chip in most modern computers — the CPU — has a hardware bug. It's really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on a network, including workstations and all servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. For any of our Forget Computers or Robot Cloud clients, this is something we continuously and actively work toward. However, this extra patching is going to take some additional time, some of the patches are not even available yet. We anticipate patches will be coming for both operating systems and applications.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click. The vulnerable machines must have malware running to exploit this vulnerability. So ... remind your team to not let bad guys into their machine to start with. :)

To help you stay safe online in the office and also at the house, please consider the Security Program we built in partnership with WIMZKL. Or contact us to start Security Awareness Training in your office.

Want to know more? Here is a good site with an FAQ and videos about this SNAFU. Also, read the updates as we post them in the comments below.

Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    Ben Greiner

    Apple released three updates today that are supposed to address the Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerability:

    1. macOS High Sierra 10.13.2 Supplemental Update
      For 10.13.2 (and only 10.13.2, doesn’t show up as an option for a 10.13.0 or 10.13.1 Mac)

    2. iOS 11.2.2
      I applied it to my phone and nothing blew up. 

    3. Safari 11.0.2 (11604.4.7.1.6 or 12604.4.7.1.6)
      For 10.11.6 and 10.12.6. Here’s the fun part: Apple originally released Safari 11.0.2 in December. They essentially just reissued it today with a new build number.

    Apple also updated this article, About speculative execution vulnerabilities in ARM-based and Intel CPUs. The second paragraph gives a wee bit of hope that fixes for Meltdown are coming for OSes other than 10.13.2:

    Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. To help defend against Spectre, Apple has released mitigations in iOS 11.2.2, the macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2 for macOS Sierra and OS X El Capitan. Apple Watch is not affected by either Meltdown or Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, and tvOS.

  • 0
    Avatar
    Ben Greiner

    WED JAN 10, 2018 SUMMARY

    At this time Apple has only addressed Meltdown in:

    • macOS 10.13.2
    • iOS 11.2  
    • tvOS 11.2

    The Spectre vulnerability should be patched in:

    • Safari 11.0.2 (build 11604.4.7.1.6) for 10.11
    • Safari 11.0.2 (build 12604.4.7.1.6) for 10.12
    • Safari 11.0.2 (build 13604.4.7.1.6 or 13604.4.7.10.6) or check for macOS build number 17C205
    Edited by Ben Greiner
Please sign in to leave a comment.