Meltdown and Spectre: How to Protect Your PC, Mac and Phone
[UPDATED Tuesday, Jan. 9 with NVIDIA update, Windows Update status.]
The three big bugs in Intel, AMD and ARM chips disclosed last Wednesday (Jan. 3) are pretty scary, as they could let malware or other intruders steal data from the core of the operating system (for Intel-based systems) or from other applications (for all devices). There are a couple of steps you can take to fix or mitigate these problems, but you should know a few things as well.
1) As far as we know, none of these vulnerabilities have been exploited in the wild yet, so don't panic. As of this writing, there is no known malware actively using these to attack computers or smartphones. The "Spectre" and "Meltdown" attacks you're hearing about are academic exercises to prove that the vulnerabilities exist, and the ways in which those attacks operate have not been fully disclosed.
2) Before you patch your system, make sure your computer or smartphone is running antivirus software, if possible (sorry, iPhone users) and that your web browsers are fully up-to-date, with Java and Flash plugins deactivated.
The Meltdown attack based on one of the flaws can only work locally — i.e., the attack has to come from within the targeted machine. That means it has to get on the machine first, and the best way to get on the machine is with regular forms of internet-borne malware, which antivirus software will block. (There are compatibility issues with some kinds of Windows antivirus software. See below.)
3) Of the three flaws, the first one affects only Intel chips, Apple mobile chips and at least one ARM chip. Unfortunately, that includes all Intel CPUs made since 1995, except for Atom chips before 2013 and Itanium chips.
Meltdown also affects Apple's A7-through-A11 ("Bionic") line of mobile systems-on-a-chip used on the last few years of iPhones, iPads and iPod Touches. Also affected is ARM Cortex-A75 chipset, which will be used in the upcoming Qualcomm Snapdragon 845 system-on-a-chip for the next generation Android flagship phones.
The Meltdown attack that exploits this flaw makes it possible for user-based applications to read kernel memory, and thus any protected process on the machine. Your secrets — passwords, credit-card numbers, sensitive documents — are no longer safe.
The other two flaws are related and let user-based applications read each other's memory. Again, your secrets are no longer safe, but the Spectre attack related to these flaws is harder to pull off than the Meltdown attack. Unfortunately, these flaws are also harder to fix, and may force chip redesigns in the future. The flaws affect some AMD and many ARM chips as well as most Intel chips.
4) There have been reports that applying these fixes will greatly slow down your machine. We had thought that was mostly unfounded, as processes that occur mainly within applications or lean heavily on graphics cards — such as gaming — should not be affected. What will slow down are processes that lean heavily on the kernel, such as, well, artificial performance tests.
However, Microsoft and Intel said Jan. 9 that while Intel CPUs made since 2016 were minimally affected, PCs with chipsets made in 2015 and earlier would see more significant slowdowns.
5) There have been reports that applying the Windows update might brick computers with older AMD CPUs. Microsoft has halted pushing out updates to those chips for now.
6) There have been reports that the Meltdown patch was referred to in developer circles as "Forcefully Unmap Complete Kernel With Interrupt Trampolines," or F***WIT. We can confirm that this is true.
Now that that's over, the most important thing you can do to protect yourself against Meltdown and Spectre attacks is to apply software and firmware patches, which are still rolling out. Here's what's available so far:
Microsoft: Fixes for both the Meltdown and Spectre-related flaws on Windows 7, Windows 8.1 and Windows 10 were pushed out Jan. 3.
But hold on! It turns out that the patches are incompatible with many antivirus products. Negative interactions could cause a "stop" error — i.e., a Blue Screen of Death. Microsoft has asked antivirus makers to include a change to the Windows Registry with their updates to certify that the software is compatible. Without that Registry key, the update won't even download.
In its infinite wisdom, Microsoft has not said which AV products are and aren't compatible. If Windows Update doesn't fetch the updates for your machine, then you're supposed to assume that your AV software might be incompatible.
However, Microsoft has made clear that if you don't apply these updates, you will not be able to receive any more security patches in the future. That's not exactly convenient for people trying to patch older hardware.
We have security researcher Kevin Beaumont to thank for creating a constantly updated online spreadsheet listing AV software compatibilities with the Windows patches.
As of Monday, Beaumont said most consumer antivirus makers had updated their software to both be compatible with the updates and perform the Registry update required for everything to go smoothly. Most enterprise endpoint-antivirus makers had also made their software compatible, but were leaving it up to IT staffers to perform the Registry tweaks.
If you're both impatient and really confident in your techie skills, you can manually update your Registry to make compatible software that doesn't update the Registry work. (We recommend waiting.)
There's one more catch: The Windows update doesn't update the firmware on your CPU, which also needs a fix to completely solve these problems. You'll have to wait for Lenovo, Dell, HP or whoever made your laptop or PC to push out a firmware patch. Microsoft Surface, Surface Pro and Surface Book users are getting that firmware update now.
At CES 2018, Intel CEO Brian Krzanich said the company would soon have firmware ready for all CPUs released in the past 5 years. It's not clear what happens with CPUs older than 5 years.
Android: The January security patch Google pushed out to its own Android devices on Tuesday (Jan. 2) fixes the flaws on affected devices. Non-Google device owners will have to wait some time before the patches show up on their phones or tablets, and some Android devices will never get the patches. Make sure you're running Android antivirus apps, and turn off "Unknown sources" in your Security settings.
macOS: After 24 hours of radio silence, Apple confirmed Thursday that Macs had been patched against Meltdown in December with the macOS High Sierra 10.13.2 update and corresponding fixes for Sierra and El Capitan. If you haven't already applied this update, click the Apple icon in the top left corner, select App Store, click Updates and select the macOS update.
With regard to Spectre, Apple delivered an update for macOS High Sierra on Monday, Jan. 8.
iOS: As expected, Apple confirmed that iPhones and iPads were vulnerable to the Spectre attacks. The surprise was that they were vulnerable to Meltdown as well. (This may be because the A7 chip and its descendants are partly based on Intel chips.) As with Macs, the Meltdown issue was patched in December, in this case with iOS 11.2, which can be installed by opening Settings, tapping General and tapping Software update.
Linux: Linux developers have been working on these fixes for months, and many distributions already have patches available. As usual, the updates depend on your distribution. Linux PCs will probably need to update the CPU firmware as well; check the website of whoever made your system's motherboard.
Chrome OS: This was patched with Chrome OS version 63 on Dec. 15.
Google Chrome browser: This will be patched on all platforms with Chrome 64 on Jan. 23. If you're worried, you can turn on an optional feature on desktop and Android Chrome browsers called Site Isolation, which may increase memory usage. (Site Isolation is on by default in ChromeOS.)
Mozilla Firefox browser: The new "Quantum" Firefox browser has been updated to 57.0.4 to prevent Spectre attacks. Updates should happen automatically. Firefox 52, an extended-support version of the previous browser that is compatible with older Firefox add-ons and extensions, is already partly protected against Spectre.
Microsoft Internet Explorer 11 and Microsoft Edge browsers: Patched with the Microsoft updates mentioned above.
Apple Safari browser: Apple patched iOS and macOS versions of Safari with the Jan. 8 updates mentioned above, and Safari on macOS Sierra and OS X El Capitan that same day.
Intel: Again, all Intel chips made since 1995, with the exception of Itanium and pre-2013 Atom chips, are vulnerable. Intel is crafting firmware that will be passed on to device manufacturers and then to end users.
AMD: AMD first said yesterday that it wasn't affected, but then backtracked after Google showed that some chips were vulnerable to Spectre attacks. In a posted statement, AMD says that the problem will be "resolved by software/OS updates to be made available by system vendors and manufacturers." (Again, hold off on updating Windows on Athlon II CPUs until Microsoft figures out what's bricking some of those machines.)
ARM: Cortex-A75 chips, not yet publicly available,are vulnerable to both the Spectre and Meltdown attacks. Other Cortex chips listed in this ARM posting are vulnerable only to Spectre attacks.
NVIDIA: On Jan. 3, the company posted a statement: "We believe our GPU hardware is immune to the reported security issue and are updating our GPU drivers to help mitigate the CPU security issue. As for our SoCs with ARM CPUs, we have analyzed them to determine which are affected and are preparing appropriate mitigations."