Security Article

Critical Security Vulnerabilities – Meltdown and Spectre – Affect Computers, Mobile Devices, and Servers

New security vulnerabilities, Meltdown and Spectre, which affect processors on computers, mobile devices, and servers, were announced on January 3, 2018. These vulnerabilities allow programs to collect data processed on devices, including information stored in computer memory, such as passwords, your personal photos, emails, instant messages, and other confidential information. If an attacker gains access to this type of personal information, they could potentially steal your identity, access your bank account(s), or even blackmail you.

Meltdown is a vulnerability affecting devices and Internet servers with Intel chips. The design flaw affects the security parameters enforced by the central processing unit (CPU), and breaks down the barrier that separates user applications, such as email and document storage, from accessing protected system memory. The Meltdown vulnerability, confirmed to exist in all Intel processors since 1995 (with the exception of Intel Itanium and Atom before 2013), includes computers by popular vendors such as Apple, Microsoft, Dell, HP, and Lenovo.

Spectre is a vulnerability affecting processors in smartphones, tablets, and computer chips from Intel and Advance Micro Devices Inc. (AMD). It allows for leakage of information from applications. Similar to Meltdown, Spectre affects Intel processors, but also affects AMD and ARM processors. This vulnerability includes devices made by vendors such as Apple, Microsoft, Dell, HP, Google, and Lenovo.

How Can You Protect Yourself from Meltdown and Spectre?

• Patch and/or update your operating system (OS)
  • Windows OS: https://support.microsoft.com/en-us/help/311047/how-to-keep-your-windows-computer-up-to-date
  • Mac OS: https://support.apple.com/en-us/HT201541
  • iOS device (iPad, iPhone, iPod): https://support.apple.com/en-us/HT204204
  • Android OS: http://www.ubergizmo.com/how-to/update-android-os/
• Make sure to update your web browser(s) to the latest version, when available.
  • Github.com has compiled a list of updates and news releases from vendors for patch updates for the Meltdown and Spectre vulnerabilities for both operating systems and web browsers: https://github.com/hannob/meltdownspectre-patches.

Remember to always use good security practices for the care of your electronic devices, such as protecting your passwords/passphrases; running anti-virus software; and diligently patching your operating system, web browser(s), and applications.

Learn More

To learn more about these vulnerabilities, please review the links below:

• Official webpage of the Meltdown and Spectre vulnerabilities: https://meltdownattack.com/
• Write-up by Security Researcher Daniel Miessler: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/
• New York Times Article Detailing the Flaws: https://www.nytimes.com/2018/01/03/business/computer-flaws.html

If you have any questions or concerns, please contact the Information Security Office at: infosec@miami.edu.