Typically, security update news stories cover just Macs or just PCs. Today, though? Today is special.
Newly disclosed security flaws connected to the Intel and AMD chips used by Macs and PCs (and Linux boxes) are at the root of today's concern, and these vulnerabilities leave your system open to being hijacked by remote users. Both 32-bit and 64-bit Intel and AMD machines are affected, although ARM chips appear not to be. Oh, and PC users have two extra reasons to download updates, as dual critical flaws -- currently being exploited in the wild -- are patched by this month's round of Windows updates.
All of these flaws were disclosed yesterday (May 8), so update now before the bad guys take advantage.
MORE: 12 Computer Security Mistakes You’re Probably Making
What To Do
On your PC (Windows 7 to 10, and Windows Server 2008 up to version 1803), run Windows Update.
In Windows 10, it's found by right-clicking on the Start Menu button, selecting Settings and clicking Windows Update. Click Check for Updates and install them upon download. You'll likely have to restart your computer, so make sure you're not in the middle of any important processes.
In Windows 7, click the Start button, select Control Panel, click System and Security, then click on Windows Update.
On a Mac, click the Apple icon in the top left corner and select App Store. Once App Store opens, click Updates and click Install next to Security Update 2018-001. This process works on macOS and OS X versions dating back to 10.9 Mavericks, released in 2013.
Even Linux machines are affected. The Linux kernel was patched on March 23, but as usual, most users will be dependent on their distribution of choice to push out an update. Red Hat's patch is here, and Ubuntu's patches are here and here. If you're into FreeBSD (yes, we know it's not Linux), here's the update.
Unlike the issues that led to Spectre and Meltdown, the operating system-makers, not Intel and AMD, seem to be responsible for this one. According to the United States Computer Emergency Readiness Team (US-CERT), the operating systems were not designed to properly process a specific debugging process. This vulnerability has been enumerated as CVE-2018-8897.
If unpatched, system data could be exposed to an attacker, or the attacker could even hijack the machine. Microsoft says that the attacker would need to first log in to the system before doing any damage, but that leaves out the inconvenient truth that malware that gets into a machine through other means is for all intents and purposes a logged-in user.
But Wait, There's More
One of the Windows-exclusive exploits (classified as CVE-2018-8174) that's patched with the latest updates from Microsoft is even more dangerous, as miscreants are already using it. Further, it only requires a logged-in user to click on a link, which could be distributed via any of the many social engineering methods such as phishing emails, or could also be delivered through a corrupted website or malicious web ad. That user would also need to have administrator rights, an unfortunate situation that is widely common but that we strongly advise against.
The other Windows vulnerability (CVE-2018-8120) being exploited at the moment could wipe and steal data, install programs and create accounts with full user rights.
Credit: Tatiana Popova/Shutterstock