Friday, January 05, 2018

Meltdown and Spectre - what to do

This week we have seen two major processor flaws one dubbed "Meltdown" (which is intel only) the other called "Spectre".

The Details.

Meltdown (CVE-2017-5754)  

This is an Intel only security flaw and it affects intel's branch prediction technology. This means that someone figured out how to get the processor to get what they want from your active memory in what was suppose to be a clear and secure separated memory space between the user memory and the Kernel.  This fix could cause a performance hit in some cases up to 30%

Spectre (CVE-2017-5753, CVE-2017-5715)  

This flaw affects most modern processors made by a variety of manufacturers, including Intel, AMD and those designed by ARM.  The flaw potentially allows hackers to trick otherwise error-free applications into giving up secret information. Spectre is harder for hackers to take advantage of but is also harder to fix and would be a bigger problem in the long term.  This could be the source for multiple problems in the years to come.

What you can do to protect yourself.

Update to the latest version of Chrome (version 64 or later on January 23rd). You can also enable Strict Site Isolation which will use 10 - 20% more memory, and cross-site iframes will not work properly when printing.  FireFox is patched in version 57.0.4 and later.  Firefox has a feature called enable First-Party Isolation which you can enable for additional privacy protection.  The Strict Site Isolation in chrome and the First Party Isolation in FireFox may break functions that some sites use on the internet.  Enabling these features is a good idea but not necessary.


Check Windows Update and ensure KB4056892 is installed for Windows 10, Windows 7 and 8 patches are expected by Patch Tuesday.  If your having difficulty installing the patch you may have to disable your anti-virus software before you install.  The patch may have issues with third party anti-viruses although some AV vendors have already issued fixes. Kaspersky issued its fix Dec. 29 in anticipation of a Microsoft fix to be issued Jan. 9 on the regular Patch Tuesday. McAfee has a page with products tested so far that are compatible. ESET said it has released Antivirus and antispyware scanner module 1533.3 for all consumer and business users that is compatible with the Microsoft patches.

Be sure to check your PC OEM website for support information and firmware updates and apply any immediately.


Is working on a patch and is expected to release one soon.  Mac OS 10.13.2/10.13.3 and iOS 11.2 with have patches for these flaws - There are no known exploits at this time.

Apple Watch OS is unaffected.  


Users running the most recent version released on January 5 as part of the Android January security patch update are protected according to Google.  So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you'll simply need to install it. However, other users will have to wait for their device manufacturers to release a compatible security update.

Please note that at this time there is no known successful exploitation of either Meltdown or Spectre on ARM-based Android devices.

Kernel fixes are out depending on which version of linux you are using so patch! - Ubuntu will be patched by January 9th!


Google, Amazon, Microsoft, and others are working on and implementing patches for these issues.

The only real fix for these flaws are new computers (silicon) but there won't be any fix in this or the next generation of processors.  The actual fix requires an architectural redesign in the processor hardware which is now at 10nm.  Most likely your looking at least 3 computer generations from now before these issues might be fixed properly.


How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...