The world was caught off guard with two security holes that affect almost all processors released in the last 20 years. The Meltdown and the Spectre allow leak of sensitive information, independent of the operating system that is running. Fortunately, the major technology companies are already releasing updates to mitigate the problems.
Windows, Linux and macOS
The Microsoft released the night of this Wednesday (3) an update of emergency for users of Windows 10. There is one detail, however: if you have an antivirus of a third party that is not yet supported, the fix will not be installed automatically. This is because some of them, such as Symantec Endpoint Protection, even cause blue screens of death due to changes in the functioning of the operating system.
This list, published by The Verge, is being updated as the antivirus companies prepare their security software for the Microsoft fix. If you use only Windows Defender, patch for Windows 10 should already be available. And, in earlier versions of Windows (7 and 8), updates will be released on the 9th of January.
On Linux, a patch to the kernel has already been developed to mitigate the Meltdown and the Spectre, but the big distributions have not yet released the update, as is the case of Red Hat, Ubuntu and Debian. Red Hat claims that are testing the fix and will release as soon as possible; one of the variants of the Spectre will also require an upgrade in the firmware of the processor.
Apple still has not commented officially about the failures. The AppleInsider informs that the problem has been “partially fixed” in version 10.13.2 macOS High Sierra, released in December, and there is no evidence of loss of performance with the upgrade. In addition, according to one developer, there will be news against the loopholes in 10.13.3.
As the Spectre also reaches ARM processors, the Android-based smartphones will receive a fix in the kernel to avoid that the failure to be exploited. The update has a date of 5 January 2018.
However, in the case of Android, the problem is more complicated: anyone who owns a Pixel, Pixel 2, Nexus 5, Nexus 6P or Pixel C should receive the fix quickly, but owners of smartphones from other brands will need to wait for the good will of the manufacturers. Google says it released the patch to its partner hardware in mid-December.
Chrome, Firefox, and Edge
Users of Firefox have an update available, from version 57 of the browser. Mozilla informs that “the dimension of this type of attack is still under investigation and we are working with security researchers and other developers of browsers to fully understand the threat and the fixes”.
If you use the Edge or Internet Explorer, you do not need to do anything specific: the update KB4056890, which was released in the emergency package from Microsoft for users of Windows 10, already has the patch to mitigate the failure.
The fixes are not permanent
It is recommended that you install the patches as soon as possible, but remember that they mitigate the problems, not solve completely, since the flaws are in the processors. In the simplest terms, are the funniest closest to the ideal that we have today.
The additional barrier for software to protect against the Meltdown that affects Intel processors, may cause loss of performance of 5 to 30%. However, the manufacturer says that ordinary users should not feel any significant impact on performance.
The Spectre that reaches almost all the chips made in the last two decades, it is more difficult to fix: the processors would have to be redesigned. It is possible to block some types of attacks, but not all at once, so the software will be updated over the next few years to strengthen the defense. A fix should not appear until a new generation of processors is released.
Finally, anti-virus should not spreadable with efficiency applications that take advantage of the Meltdown or Spectre, since they are difficult to distinguish, different from the malware. And the exploration of the failures leaves no traces on the operating system, so there is no way to know who has already been affected.
Keep everything up to date. Happy 2018.