What’s the problem?
First, a quick explanation of the two flaws which, put simply, put your private data at risk. Meltdown affects Intel processors and Arm’s A-75 chip. There are two variants of the other flaw, called Spectre. This affects Intel, AMD and ARM processors. Obviously, sensitive data shouldn’t be exposed when inside the main processor in your phone, laptop or PC. Also, everyday apps shouldn’t be able to access data (from the computer’s memory) which is being used by the operating system or by other apps. However, it is possible to access this data using the Spectre and Meltdown vulnerabilities and it means that a hacker could use malware to gain your credit card number, passwords and other data if you use an unpatched device. All major operating systems are also affected, including Windows, macOS and Linux. Currently, though, there’s no known malware which uses the Meltdown or Spectre vulnerability, so the risk of your credit card information ending up in someone else’s hands because these flaws is almost zero. It’s the same for the newly discovered Foreshadow flaw. It appears that security experts and the big chip and software developers have known about the vulnerabilities for months, if not years. Only on 3 January 2018 did this information become public For more information on the differences between Meltdown and Spectre, read the Meltdown Attack website.
What do I need to do?
The best advice is to ensure your software is up to date. These days a lot of software updates automatically, but it pays to double-check that your devices are running the latest version of their operating system and that all of the software you run is also up to date. Intel says it has now released microcode updates for all of its processors launched in the last five years, but you’ll get these only if Windows is up to date. It has also announced that it won’t patch certain processors which are more than five years old, since these are no longer supported. The advice from Ondrej Kubovic, security awareness specialist at ESET, is that users can improve their security by applying Meltdown and Spectre patches issued by OS, browser and other software developers. Of course, the safest thing to do is to replace the vulnerable hardware for newer non-vulnerable components. The ‘keep your system up to date’ advice is simple, common-sense security practice. And it’s pretty much the same as protecting your data from ransomware. The patching process for Windows has been messy, to put it mildly. However, that should now be a thing of the past after various bugs which caused a number of problems from unwanted system shutdowns to crashes and incompatibility with some antivirus software. Patches for macOS and Linux are now out, but Google says that Android devices which have the latest updates installed are already protected. An update for the Chrome web browser is also out: version 64 was first released on 24 January but go to the menu (three dots at the top-right) then choose Help > About and the latest version should be installed automatically. iPhones and iPads are affected by Spectre too: Apple released iOS 11.2.2 to address the vulnerability.
Will antivirus software prevent an attack?
In theory, an up-to-date antivirus program should block any attacks, but in practice they are – according to security experts – extremely difficult to detect. The good news is that there is no known malware which exploits these flaws. But it is still a good idea to keep your antivirus, operating system and apps up to date. Don’t forget to be vigilant when clicking on links in emails and on websites to avoid downloading malware in the first place.
Is my data stored in the cloud vulnerable?
Yes. The processors which run cloud servers are similarly affected by the flaws, which means you should avoid storing any sensitive data in the cloud. You should also make sure you have a backup of any irreplaceable data on a portable hard drive or some other form of storage which isn’t connected to a computer, network or the internet. Again, this is good practice against any type of hacker attack. Jim has been testing and reviewing products for over 20 years. His main beats include VPN services and antivirus. He also covers smart home tech, mesh Wi-Fi and electric bikes.