AP Explains: Who’s affected by computer chip security flaw.
Technology companies are scrambling to fix serious security flaws affecting computer processors built by Intel and other chip makers and found in many of the world’s personal computers and smartphones.
Intel is at the center of the problem because it supplies the processors used in many of the world’s PCs. Researchers say one of the bugs, called ‘Meltdown’, affects nearly every processor it’s made since the mid-1990s.
Other Chip Producers
While researchers say the Meltdown bug is limited to Intel processors, they have verified ‘Spectre’ as a problem for Intel, Advanced Micro Devices and ARM processors. AMD chips are also common in PCs, while ARM chips are found in many smartphones and other internet-connected products, including cars and home appliances. The ARM design is also used in Apple’s mobile chips.
Meltdown & Spectre
For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party antivirus software then it’s possible you won’t see that patch yet. Security researchers are attempting to compile a list of antivirus software that’s supported, but it’s a bit of mess to say the least. Microsoft has started rolling out its own Windows 10 security patches, alongside software updates for Firefox and an update coming to Chrome later this month.
Apple has not yet commented publicly on the bugs, but AppleInsider reports that Apple has already deployed a partial fix for the security bug in macOS 10.13.2. More changes are expected to come with 10.13.3 soon. Apple has not commented on how it plans to fix its Safari browser or even macOS. Apple also didn’t immediately respond to inquiries on whether iPhones and other mobile products are affected.
WHAT TO DO NEXT?
There are limits to what consumers can do now to protect their computers.
Advice from the U.S Computer Emergency Readiness Team’s was grim. The federal organization says that “fully removing the vulnerability” requires replacing the hardware already embedded in millions of computing devices.
That’s not to say nothing can be done.
Updates and Unknowns
Protecting a Windows PC is complicated right now, and there’s still a lot of unknowns. There are already Meltdown patches for Microsoft’s Windows, Apple’s macOS and Linux. Mozilla says it’s also implementing a short-term mitigation that disables some capabilities of its Firefox browser. Google says Android devices are protected if they have the latest security updates.
Microsoft, Google, and Mozilla are all issuing patches for their browsers as a first line of defense. Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64, which is due to be released on January 23rd. Chrome, Edge, and Firefox users on Windows won’t really need to do much apart from accept the automatic updates to ensure they’re protected at the basic browser level.
Consumers can mitigate the underlying vulnerability by making sure they patch up their operating systems with the latest software upgrades.
If you own a Windows-powered PC or laptop, the best thing to do right now is ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. We’re hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available you’ll need to manually check or get familiar with PowerShell.
“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” security researcher Rob Graham said in a blog post Thursday.
Here’s a quick step-by-step checklist to follow for now:
- Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser
- Check Windows Update and ensure KB4056892 is installed for Windows 10
- Check your PC OEM website for support information and firmware updates and apply any immediately
These steps only currently provide protection against Meltdown, the more immediate threat of the CPU flaws. Spectre is still largely an unknown, and security researchers are advising that it’s more difficult to exploit than Meltdown. The New York Times reports that Spectre fixes will be a lot more complicated as they require a redesign of the processor and hardware changes, so we could be living with the threat of a Spectre attack for years to come.
- US-CERT verifies how widespread the vulnerability is:
- You can read the US-CERT advisory on Meltdown and Spectre here, but you may not like their ultimate solution to the problem:
- Meltdown and Spectre have their own combined website now, explaining what each vulnerability does, with video of the exploits and a list of resources. CERT pointed to this site as a resource: https://meltdownattack.com/
- Industry updates: Intel News, Microsoft Advisory, Azure Update, Amazon Update, Google Update, AMD Update