By Joe Callison
13 January, 2018
I tried to resist writing on these because they are everywhere in the media already and there have been new developments almost daily as companies frantically prepare their responses to the vulnerabilities. You can follow new security updates easily by looking at the Security Alerts and Updates on our own SenCom web site. The technical details and many helpful links and manufacturers’ responses are also contained in the following alert by Homeland Security.
It has been apparent in recent SenCom meetings that some less technical explanation and guidance would be beneficial to our members, so here goes an attempt to explain some very complex technical problems and what, if any, your action should be.
This is a vulnerability exploiting a design weakness affecting almost every Intel processor released since 1995 used in desktop and laptop computers made by all manufacturers, including Apple, and some ARM processors, typically used in some smartphones, tablets and wearable devices. AMD processors, a rival of Intel used in desktop and laptop computers, are not affected. It allows remnants of data left in the processor memory caches to be read by malware, which may expose passwords and other sensitive data. According to Intel, operating system patches issued by Microsoft, Linux, and Apple can mitigate the Meltdown vulnerability.
This is a couple of vulnerabilities exploiting Intel, ARM, and AMD processor design features that allow malware to extract information from other running processes, such as to steal login cookies from browsers for example. It is more difficult to mitigate with patches as it requires not only operating systems to be patched, but also internet browsers and certain other software for computers, tablets, smartphones, and wearable devices.
Actions by You
First of all, don’t panic! These vulnerabilities were not discovered by hackers, but by researchers who study the intricacies of processor designs, theorize methods of exploiting them, and then build tests to determine if the exploits actually work. Then they present their findings to the designers or manufacturers, in this case in June 2017, and do not go public until time has been allowed to fix the vulnerability, unless there is no timely response by the manufacturer or it gets leaked. Once the vulnerability has been made known to the public, the hackers may go to work to figure out how to use it to exploit any unpatched systems, so update everything on your computer or device that is recommended for these vulnerabilities as soon as it is available. Since an exploit of these vulnerabilities requires placement of malware on your computer, as always be diligent about practicing safe browsing and email reading. The type of malware required will not look like any other malware and will not likely be detected by your antivirus and antimalware protection until some actual exploits have been seen.
Microsoft Windows support has detailed instructions on protecting your Windows devices against Spectre and Meltdown. Notice it also has links for the firmware updates from computer manufacturers. As mentioned in the link, Microsoft included Windows operating system fixes in the January Windows update already released. If you did not get the update and can’t get it by manually checking for updates, then it is likely that you either have non-Microsoft antivirus that has not been updated first or you have no antivirus installed. Also some computers with older AMD processors are temporarily blocked from updating because of problems the initial patch caused until Microsoft revises the update for them.
Apple support has information on their mitigation for iOS, macOS and tvOS.
Google has issued a security update for Android computers using the Chromium OS and to Android smartphone and tablet makers. The following article provides information on what phone and tablet devices will get the updates according to a recent source.
This is the new Wi-Fi network standard to address the KRACK vulnerability affecting the more than ten year old WPA2 standard where someone could snoop on your Wi-Fi communication to capture the created temporary password key for the session, and even though encrypted could reuse it later for access to your computer to steal data or plant malware. The new standard not only prevents reuse of temporary password keys but also strengthens the encryption and limits the number of failed password guesses for improved security. New Wi-Fi devices designed with WPA3 are expected to be on the market later this year. Even though software and firmware patches have been released for existing Wi-Fi equipment to address the KRACK vulnerability, if you have been thinking about buying a new Wi-Fi adapter or router, you might want to hold off until the new equipment is available. Meanwhile be sure you obtain and install any available patches as mentioned in my November 1, 2017 blog “KRACK and ROCA: Are You Safe?”