PEOPLE HAVE BEEN warned to install updates on their computers and mobile devices in a bid to protect against vulnerabilities that could allow hackers to access sensitive data.
The Spectre and Meltdown vulnerabilities affect computer chips from Intel, AMD and ARM.
Personal computers, mobile phones, servers and operating systems such as Microsoft Windows, Linux and Apple macOS could be impacted. Software companies have issued patches to fix the vulnerability.
Brian Honan of BH Consulting said failing to install these patches will leave people at risk of hackers stealing sensitive information such as passwords from the memory of their computer.
Honan said people could also be lured to third-party websites that could exploit the bug on their PC.
Honan said websites are also at risk, particularly if they gather sensitive data, and should “deploy the patches as quickly as possible”.
In a statement, Intel said: “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.”
“There’s the potential that applying the patches could impact the performance of the machines,” Honan said, noting that older machines or those already under a lot of pressure may be particularly affected.
He described the situation as a “Catch 22″ as people won’t know if their device’s performance has been affected until they install the patch.
However, Honan said the pros of installing the patches outweigh the cons, stating: “This issue is so widespread it’s only a matter of time before it’s used in attacks.”
Some researchers have said any fix could slow down computer systems by 30% or more. Responding to this, Intel said: “Any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Last year, Google’s Project Zero team discovered serious security flaws caused by a technique used by most modern processors to optimise performance.
Researcher Jann Horn demonstrated that malicious actors could take advantage of the technique, known as speculative execution, to read system memory that should have been inaccessible.
In a statement, Google said: “For example, an unauthorised party may read sensitive information in the system’s memory, such as passwords, encryption keys or sensitive information open in applications.
“Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.”
How to Protect Yourself From Meltdown
The Meltdown flaw, luckily, is already being patched by companies like Microsoft and Google. To ensure you’re up to date, follow the instructions for your operating system.
Microsoft: Microsoft has already released an update for Windows 10 patching the vulnerability, and is releasing patches for Windows 7 and Windows 8 soon. If you’re having trouble installing the automatic security update, Microsoft suggests your anti-virus might be the culprit. If so, turn off your anti-virus program and use Windows Defender or Microsoft Security Essentials (or edit your registry if you’re confident you won’t mess it up). If you’re on Windows 10, chances are you’ve either automatically downloaded the update, or are scheduled to update on a set schedule. Advanced users can check if they’re affected by running Microsoft’s verification test in your command line.
Browsers: Google Chrome, Mozilla’s Firefox, and Microsoft Edge have all updated or scheduled updates to patch the security flaw. You can update Google Chrome to its latest, patched version on January 23, or download Firefox’s latest update.
Android: Android users running the most recent version of the mobile operating system are protected, according to Google.
How to Protect Yourself From Spectre
While you can protect yourself from Meltdown, it’s harder to defend against the more invasive Spectre flaw. According to researchers involved in discovering and reporting on the two exploits, software updates to patch particular flaws in Spectre are possible, though none are available yet, or are able to address the exploit completely without a redesign of the operating system and the microprocessor itself.