Posh Security

View Original

Updated: A Home User Guide to Spectre and Meltdown

You might be feeling like Homer Simpson when reading about Meltdown and Spectre.

Updates

2018-01-29

Intel has released updates for variant 2 of the Spectre attack. Several OEMs have started pushing this update out to their customers. There have been widespread reports of device instability. Intel have since recommended that users do not deploy these updates. My recommendation is to hold off on any firmware/BIOS updates for a few more weeks.

Microsoft has also released updates resolving issues with those originally released. The first round of updates resolved issues with AMD systems, the second provides the option to manually disable and enable the Spectre Variant 2 fixes. These updates are not published via Windows Update, you will need to manually install it. If you are experiencing stability issues since these updates have been installed, you may wish to consider installing these updates.


Unless you have been living under a rock or in a case, you have probably heard of the CPU vulnerabilities: Meltdown and Spectre. There’s been quite a lot of media hype, you could be forgiven thinking that these are world-ending bugs. My opinion, and that of others is that this isn’t something to panic over.

Neither Meltdown or Spectre have been used in attacks. While there's proof-of-concept (POC) code that exploits these vulnerabilities, there's no evidence that they've been used in any attacks.

Generally, most guidance has been right, yet I've seen some incorrect or deceptive statements on social media. I wanted to address these in a very quick post, and give some more concrete steps.

I've broken down the response into four main categories, Windows 10, Apple iOS and macOS, Android and finally Web Browsers.

Windows 10

Let’s start with the Windows users. If you're running Windows, you need to ensure that both your anti-virus, computer’s firmware and Windows are all up-to-date to be fully protected.

I'm assuming you're running Windows 10. If you're running any older version of Windows, please update, Windows 10 is the most secure Windows to date. Windows 10, especially the latest Fall Creators update contains a significant amount of new security protection features, all available to you out-of-the-box and configured for you.

Regrettably, due to the Windows ecosystem, ensuring you're safe isn’t as simple for Windows users as Microsoft or those of us in the industry would like.

1 - Update Anti-Virus (AV) Software

During testing, Microsoft found that the fixes might result in a Blue Screen of Death (BSOD) when installed on computers running some anti-virus software. Basically, some AV products hook into Windows in a weird way that conflicts with the patch.

To ensure that you don’t end up with a broken PC, Windows won't install the patch if it thinks there might be an issue. How does Microsoft know? Your AV software needs to create a specific registry key to let Windows know it's ok to install the patch.

For most AV products, they're creating they required key, but there are quite a few that don't. How o you know if your product supports the fixes? Thankfully, Kevin Beaumont has been maintaining an extremely helpful list.

What if you don’t run an AV product? What if you have disabled Windows Defender completely? I haven’t tested to confirm, but you may need to create the registry manually.

Another pitfall is that you need to ensure your license or subscription for your AV product is valid. Often, I see people using the AV that came bumbled with their computer; that’s ok, if you maintain the license. The bundled AV products often come as time limited trials, or only last for a year. Sometimes when they expire, it isn’t obvious, and you're left with no protection at all!

Actions:

  • Ensure that you have a license for your AV product. If your license has expired, you can switch back to Windows Defender.
  • Ensure that your AV product is up-to-date.

2 - Update Computer Firmware/BIOS

A common misconception is that these issues can be fixed at an Operating System layer. Operating System updates only address Meltdown, to resolve Spectre, we need to install firmware updates on your computer’s hardware.

Your computers Original Equipment Manufacturer (OEM), will need to make updates available to you to ensure that your computer is running the correct processor fixes.

Microsoft and Dell have released updates for their computers, Lenovo appears to be patched but I can’t find anything official. There's no word from HP, and it doesn’t appear that they've released any updates for these vulnerabilities. It's worth noting that Microsoft hasn’t released firmware updates for the original Surface Pro or Surface Pro 2. The smaller vendors weren't included in the pre-announcement work, so they're playing catch-up; for instance, Razer is currently working on update for their Razer Blade line.

Actions:

  • Depending upon your computer, the firmware updates may happen automatically, or you may need to manually do them. Check with your OEM.
  • Check with your OEM to determine if firmware updates are available.

3 - Update Windows 10

The different versions of Windows 10: Release, Anniversary, Creators and Fall Creators; make it a harder to confirm you have the correct updates installed.

The first thing we need to do is determine what version of Windows 10 your computer is running:

  1. Open Windows 10 Settings app.
  2. Select “System”, then “About”.
  3. Under the heading “Windows Specifications” look at the “Version Field”.
  4. Make a note of the number. It will typically be 1507, 1511, 1607, 1703 or 1709.

You can see I am running Windows 10 Pro 1709 (Fall Creators Update).

Next, we need to check if the related update is installed.

  1. Open the Windows 10 Settings app. If you kept it open from the last stage, select “Home”.
  2. Select “Update & Security”.
  3. Select “View installed update history”.
  4. Under “Quality Updates”, look for an update with the appropriate knowledge base (KB number) as listed in the table:

Windows 10 Versions and their Spectre/Meltdown Patches

You can see here that KB 4056892 has been installed on my computer.

Please Note: Right now Microsoft has suspended pushing out the Spectre patch to some systems with AMD processes due to another BSOD issue. I will update this post when more informaiton is available.

Actions:

  • Ensure that the January updates for Windows 10 have been installed according to the steps above.

Apple iOS and macOS

All the Apple line-up, except for the Apple Watch, are impacted by Meltdown and Spectre. This includes Apple iPhones and iPads running their A-series processors. Fixes were included in the macOS 10.13.2, iOS 11.2 and tvOS 11.2 updates released in December. These updates include hardware firmware updates and operating system fixes.

Actions:

  • Ensure macOS 10.13.2, iOS 11.2 and tvOS 11.2 or greater are installed.

Android

Android has always been slow on the uptake for security updates due to the diversity of devices out there. Updates need to be created by the Android team, and then distributed out via your device’s maker or in some cases, your mobile carrier. The result is often, updates, be they stability, performance or security updates, just don’t reach you the end-user.

Updates have already been made available by the Android team, with Google pushing them out to supported Nexus and Pixel phones. The problem is that there's been little to no word from the other Android phone and tablet makers.

Actions:

  • Supported Pixel and Nexus Devices: Ensure you're running the latest update.
  • Confirm with your devices maker if updates are available.

Web Browsers

The most likely way that these vulnerabilities will be exploited is via JavaScript, a type of code that webpages can run in your browser. Due to this risk, this Microsoft, Google, Apple and Mozilla have all released update to their browsers with new protection mechanisms.

Actions:

  • For Microsoft Edge and Internet Explorer, the protections are included in the patch that we looked at earlier.
  • Google will be releasing protections as part of Chrome 64, which is scheduled to be released on January 23rd.
  • Apple released updates for Safari on the January 9th. For Windows and macOS, you can install these directly. For iOS devices you'll need to ensure that you install iOS 11.2.2.
  • Firefox 57 will include the protections, it's scheduled to be released on January 23rd as well.
  • Other browsers like Opera and Brave haven't provided schedules for the updates. As these are based on Chromium, expect updates around January 23rd.

Conclusion

There is no reason to panic over the Meltdown and Spectre CPU vulnerabilities. Ensuring that your computer is updated, from your computers firmware, to operating system, to anti-virus and browser will keep you protected.

Kieran Jacobsen

See this social icon list in the original post