Don’t let the absurdity of Modernity make you blue!
Subscribe to our Modernity Alerts mailing list for more inspiringly actionable cybersecurity info!


This one’s important!

Two new vulnerabilities, dubbed Meltdown and Spectre, allow attackers to access pretty much anything running on your computer, smartphone, tablet, Cloud server… wherever and whatever.

Say what?

Yeah, it’s that bad.

A Meltdown attack has to get installed on your machine, but once there, it can theoretically access anything running. By contrast, Spectre can potentially attack you via a malicious webpage, but is limited to only accessing the information currently running in your web browser.

That’s still a lot of data, though! If you have passwords, financial information, your email, or anything else open in any browser tab or window while Spectre attacks you in another one, that information is vulnerable.

But surely there’s some way to know if I’m getting attacked?

Probably not. Nor will there be any logs or other traces left behind. Your computers, smartphones, and tablets are wide open windows whose burglar alarms have been disabled.

How the heck did this happen?

Sparing you the sordid history of the technology economy… It’s a flaw in the design of most processor chips manufactured since 1995. 

I’m panicking!?

Breathe! Luckily, there are no known exploits in the wild yet, so there’s still time to get protected.

So how do I defend myself?

Like so many security issues, timely patching is the best method of minimizing exposure. The entire technology world breathed a huge sigh of relief last week, because initial reports erroneously stated that the patches for Meltdown and Spectre would cause all computers to slow down significantly; luckily, these rumors were unfounded, and most users aren’t noticing much, if any, of a performance penalty after installing patches.  

Let’s look at how to defend against each vulnerability.

First, mind your web browser

As noted at the beginning of this article, the Spectre vulnerability specifically affects web browsers, so they require special care and handling.

Safari, Firefox, and Microsoft Edge have been patched in the most recent updates. The Ignition team is pushing the Safari and Edge updates to clients who subscribe to our Startup In a Box™ patch management service.

A permanent fix for the Chrome browser will be released on January 23. In the meantime, Chrome users can turn on a hidden feature that will protect them against Spectre. To do so:

  1. Paste this link into your Chrome address bar and hit Enter: chrome://flags/#enable-site-per-process
  2. Click the Enable button next to Strict site isolation.

Windows: the good news

Microsoft has released patches for Windows 7 through 10.

Ignition is monitoring computers belonging to clients who subscribe to Startup In a Box™ to ensure they receive these patches.

If you don’t subscribe to our patch management service, open up Windows Update on your computer and get a-patchin’! Don’t forget that the Windows installation isn’t complete until you’ve restarted, and if you haven’t patched your Windows machine in a long time, you might need to go through the update process multiple times in a row.

Um, you also might consider subscribing to our patching service for a few bucks per month, because if you haven’t updated Windows in that long, you’re every hacker’s favorite lunch.

Windows: the bad news

Some antivirus products prevent the Windows patch from installing!

The antivirus products that Ignition manages for Startup In a Box™ subscribers do not have this problem, but if you are managing your own antivirus applications, ask us for help to ensure you are adequately covered.

Mac: the good news

Apple quietly released the patch for users of its latest macOS, 10.13 High Sierra, way back in December.  If you’re running High Sierra and haven’t updated yet to version 10.13.2, do so now.

Ignition is monitoring patch installation for High Sierra users who subscribe to Startup In a Box™.

Mac: the bad news

As of this writing, Apple hasn’t made a statement about whether it will release Meltdown patches for older macOS versions, which are still widely in use. (However, as noted above, Apple is releasing a Spectre patch for these older macOS versions.)

If you’re running a version of macOS older than 10.13 High Sierra, now is probably the time to upgrade. 

We will continue to monitor Apple’s releases. To be apprised of relevant updates, subscribe to our free Modernity Alerts newsletter.

iPhone and Apple TV

Update these gizmos to version 11.2.2 and you’re all set. If you have an older device that can’t run version 11.2.2, now’s the time to buy a new iPhone.

Android

The Android ecosystem continues to be a bit of a Wild West. Some Android phones have already been patched, but many haven’t. You should ask your device manufacturer about safety for your specific phone or Android tablet. Ignition customers, drop us a line with your device model and we’ll see what we can dig up.

Want to learn more?

If you are curious to know more about the details of these attacks, check out the following pages:

https://meltdownattack.com/

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Got further questions?

Don’t be shy! Either email us directly or subscribe to our Modernity Alerts announcement list, and we’ll send you more information as it becomes available.

If you’d like to rest easy that someone is handling your cybersecurity due-diligence, check out our Startup In a Box™ offering and drop us a line with questions!

In the meantime, stay calm and patch on!

 

Luv,

The Gang @ Ignition

 

Michael Bricker, one of Ignition’s likeable and handsome consultants, contributed research and reporting to this article. Thanks, Bricker!