Learning that almost every computer you own suffers from a vulnerability stretching back decades can be the stuff of existential electronic dread.
But while the processor flaws called “Meltdown” and “Spectre” that could let an attacker start to snoop on the most secure contents of your device’s memory are spookier than the average glitch, your odds of getting hit by them are much lower than your chances of being targeted by less exciting but more common hacking tactics.
The relative good news in all this: all the security chores users should do to protect against these two big risks, which affect nearly all PCs, Macs and many smartphones—starting with letting your computer and phone install security updates automatically—will help protect against those more ordinary dangers, too.
In one way, this situation is better than other software bugs. The researchers who discovered these problems began notifying the companies involved last summer, so some patches for them arrived weeks before the public disclosure Wednesday and others arrived within two days of that news.
And although initial coverage of these vulnerabilities focused on the risk of possible slowdowns, that doesn’t appear to be a meaningful risk on consumer devices getting the following patches:
Mac, iPhone and iPad user
Apple included code mitigating Meltdown — the bug confined to Intel chips, which is both easier to exploit and easier to patch — in updates to iOS 11 and macOS High Sierra that shipped in December.
On Monday, it shipped patches for iOS, macOS and its Safari browser for Spectre, a more complicated vulnerability that affects AMD and ARM chips as well as Intel’s.
Microsoft shipped its own patch for Windows 10 as well as its Internet Explorer and Edge browsers Jan. 3 via its automatic Windows Update system, with patches for older versions coming next week. If you use a third-party anti-virus app, however, you may not be able to install this update, yet another reason to switch to Microsoft’s free, built-in Windows Defender.
Turning anti-malware duty over to that app will also let you turn on the “controlled folder access” ransomware protection Microsoft added to Windows 10 last fall, which stops unauthorized apps from tampering core folders.
Android, Chrome users
Google patched Android against Meltdown and Spectre in January’s security updates, which should be on their way to your phone if they haven’t already landed. The catch: too many Android device vendors remain terrible at keeping up with Google’s updates. Google will also ship an update to its Chrome browser in January to obstruct attempts to exploit these flaws.
Another reason to anticipate that Chrome 64 release: It will stop scripting hacks that let a rogue ad hijack your attention with a “forced redirect” of your browser away from the current page.
System-wide patches are only one part of the fix here, however. You can also take steps to thwart a malicious Web site, the most likely source of a Meltdown or Spectre attack, from getting at your computer through your browser.
If you use Chrome, you can switch on a “strict site Isolation” setting that walls off each site in its own cell-block of memory. To activate that, type “chrome://flags#enable-site-per-process” in the address bar, click the “Enable” button and restart the browser.
Firefox browser users
Mozilla Firefox, meanwhile, shipped an update Thursday that includes fixes to jam Meltdown or Spectre exploits. You should get that release automatically after launching the browser.
While you’re tinkering with browsers, you should also take advantage of this opportunity to dump outdated and unsafe browser plug-ins like Adobe Flash.
As scary as Meltdown and Spectre may seem, they don’t represent the first time we’ve had to clean up a computing mess — and probably won’t be the last.
This zero day exploit could have been much worse, but thanks to insanely fast response time and the media attention of the companies that this exploit affects most of the huge potential fallout has been avoided. Sure there are going to be a few more loose ends to tie up but I think this could have been a lot worse. The only remaining question I have is – “Has this exploit been utilized in the wild prior to being cast into the spotlight?” This is after all a fairly simple zero day exploit that could have been discovered and utilized in the wild. The military and data mining applications are endless.