The recent discoveries of the critical software vulnerabilities, “Meltdown” and “Spectre” has raised a ruckus. It’s more than just a cool-sounding name.
Most vulnerabilities you know of affect your devices on the software-level. Meaning it gets slowed down or stops working “digitally.”
However, these new vulnerabilities Meltdown and Spectre, can affect your devices on the HARDWARE level. It can potentially “trick” the anti-malware and protection features on your device – without setting off a warning or leaving any traces in a log file.
This article will show you how to patch your devices to fix these vulnerabilities.
How The Cyber War Works
Hackers have their own network of social communities where they share stories of conquest and other vulnerabilities they discover.
Unfortunately because of this, it means once a vulnerability is discovered – it becomes prone to getting hacked by a computer-savvy teenager. Hacking can be surprisingly easy when detailed instructions are laid out in a step-by-step manner.
There is now a new war between these hackers (also called “crackers” – basically hackers who live on the dark side) and those defending our devices due to Meltdown and Spectre.
It’s an intense race between the two sides – one side trying to find the security holes and exploit it, while the other races to patch up these holes.
Usually when a vulnerability is discovered, a small number of people may be affected before it gets quickly patched up by the defending team.
Unfortunately, not much can be done for this small number of people who have been affected, but on the whole – the defending team usually wins.
The update gets rolled out (usually without the general consumer’s knowledge) and… problem solved right?
While true for most people who use the latest software versions and hardware, it’s not the case for everyone.
A notorious example is the discontinued Windows XP operating system. This version has been discontinued and has no support from Microsoft.
And most people know that Windows XP is not very secure. But they don’t know just how vulnerable it is. Vulnerabilities have been discovered in XP to the point that, a savvy-teenager could watch a Youtube video and learn how to hack into computers running Windows XP.
Meltdown And Spectre Impacts On You
Luckily at this stage, the vulnerabilities have been discovered but not exploited in a large-scale way.
It represents a huge potential risk – but hardware manufacturers and anti-malware teams are working quickly to patch up these problems.
These two vulnerabilities affect nearly every computer chip manufactured in the last 20 years (as we said earlier, this is a hardware vulnerability). It could allow attackers to gain access to data that was previously thought to be secured.
How These Vulnerabilities Work
Meltdown and Spectre have opened up potential for malware to exploit two key techniques that speed up computer chips – called speculative execution and caching.
- Speculative Execution – This is where the chip uses mathematical calculations in order to work faster. It “predicts” certain logical branches before the actions are even taken. This speeds up processing but can also be exploited to allow malicious attackers to gain access to data they normally would not be able to get into.
- Caching – This is a technique that speeds up memory access. Because it takes a while for the CPU to fetch data from RAM, a small amount of memory is stored on the CPU chip itself – called the CPU cache.
When these two techniques start working with another process called “protected memory” that’s when the problems happen.
Protected memory is an important concept in computing. It basically says no process can access certain data unless it is given permission.
However, thanks to speculative execution and caching, it allows processes to bypass this restriction even if it doesn’t have the level of permission to do so.
This allows malicious users to access data when they normally would not be allowed.
In essence, because anything with a computer chip is affected by Meltdown and Spectre, it affects more than just your Apple Devices. It can affect appliances, PCs and even cars if they use computer chips.
However, for the scope of this particular article – we have focused on securing Apple devices.
If you need help securing your PCs or other non-Apple devices, please get in touch with us.
What You Need To Do On Your End
To prevent exploitation of your Apple devices, here’s what you need to do:
macOS
- Ensure your Mac is up to date by hitting the apple in the top left of your menu
- Select “About This Mac,” then check if your version number reads macOS 10.13.2 or greater
- If not, hit the Software Update button below the summary of your Mac’s system information.
iOS
- Update your iOS device to iOS 11.2 by visiting Settings > General > Software Update.
- Ensure your iOS device has a 50 per cent charge (or is plugged in) before updating to reduce the risk of running out of battery during an update.
Apple TV
- Update your Apple TV to tvOS 11.2.
- Visit Settings > System > Software Updates to check if you’re up to date, and follow Apple’s instructions on updating older Apple TV devices..
Apple Watch
- Apple says your Apple Watch isn’t affected by the flaw, so you can rest easy on that front.
Analysis of these techniques revealed that vulnerabilities in Spectre are extremely difficult to exploit, even by an app running locally on a Mac or iOS device. However, they can be potentially exploited in JavaScript running in a web browser.
On January 8th Apple released updates for Safari on macOS and iOS to mitigate these exploit techniques. The Safari mitigations have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark. This is an ongoing project for Apple to pass new updates.
Need Help Securing Your Devices?
Please feel free to contact Advanced Computers team at 09 444 8823 for more details.
We’re offering a $20 discount to all Advanced Computer blog readers,
when you send in your Apple devices for security check up by 30 June 2018.
Just let us know that you’d like to claim your $20 discount after reading this blog post and we’ll slash $20 off the quoted price.
We open 6 days a week (Mon-Fri 9:30am – 6pm, Sat 10am – 4pm).