Meltdown and Spectre Explained
Computer researchers have recently discovered the main chip in most modern computers — the CPU — has a hardware bug. It's really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on a network, including workstations and all servers.
This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.
So, if the bad guys are able to get the malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.
So, What Are We Doing About This?
We need to update and patch all machines on the network. For any of our Forget Computers or Robot Cloud clients, this is something we continuously and actively work toward. Patching is happening/has been happening since January 24th.
To have mitigation for the Meltdown and Spectre vulnerabilities, the following criteria must be met:
- macOS 10.11.6 El Capitan must be patched with Security Update 2018-001, which will update the OS build number to 15G19009
- macOS 10.12.6 Sierra must be patched with Security Update 2018-001, which will update the OS build number to 16G1212
- macOS 10.13 High Sierra should be patched to macOS 10.13.3, which contains the fixes included in both 10.13.2 and the 10.13.2 supplemental update. 10.13.3 has two OS build numbers: 17D47 and 17D2047. 17D2047 is specific to the iMac Pro.
Safari 11.0.3, which encompasses changes in all versions of Safari 11.0.2, should be installed on 10.11, 10.12 and 10.13 devices.
tvOS received mitigation for Meltdown in tvOS 11.2. As of January 23, 2018, Apple has not clarified whether or not tvOS is still vulnerable to the Spectre vulnerabilities.
watchOS is not affected by either Meltdown or Spectre.
As always, be extra vigilant, with security top of mind and Think Before You Click. The vulnerable machines must have malware running to exploit this vulnerability. So ... remind your team to not let bad guys into their machine to start with. :)
To help you stay safe online in the office and also at the house, please consider the Security Program we built in partnership with WIMZKL. Or contact us to start Security Awareness Training in your office.
Want to know more? Here is a good site with an FAQ and videos about this SNAFU. Also, read the updates as we post them in the comments below.