Last Updated on November 29, 2019 by Christopher G Mendla
There are two vulnerabilities that were recently brought to light. The essence of these attacks is that they can establish processes that can read the supposedly secure data from other processes.
Suppose you are logged in to your bank via the web. There is data there about account numbers, balances, passwords etc. Some of that will be encrypted. However, the exploit MIGHT be able to view the unencrypted data. After all, your balance and account numbers need to be displayed in a format you can read.
Meltdown
The first exploit, called Meltdown, seems to affect unpatched systems. When I was doing more hardware/software consulting, I was constantly frustrated by clients or their ‘advisors’ who didn’t see the need for patching/updating their operating systems and software.
A simple precaution is to simply make sure that your operating system and software has the latest updates.
Spectre
This affects the current versions of Chrome. Supposedly Google is releasing Chrome 64 which will address the issue but that will not be until January 23, 2018. In the meantime, they offer an experimental tool that should allow for isolation.
You can enable an experimental tool to isolate sites and applications in chrome.
1. Determine what version you are running. go to the menu at the top right of chrome. Choose Help, and then About Google Chrome.
Chrome about |
Chrome version |
If you decide that you want to enable strict site isolation, enter chrome://flags/#enable-site-per-process in the chrome URL bar. That will bring up a list of experimental chrome tools. You can enable strict site isolation there.
Enable Strict Site Isolation in Chrome |
The question is, do you enable the strict site isolation now or wait until the January 23rd release of version 64 of Chrome? The fix for Spectre seems to cause issues on mobile devices. Also, I haven’t had a chance to test it with the sites I need on a daily basis. There is a possibility of issues when accessing sites you need.
Note that this exploit has the potential to affect a wide range of devices including phones, Linux machines, Apple based devices and more.
In short both exploits expose serious vulnerabilities.
For more reading:
- Mashables article
- Gratz University description of the vulnerability
- Google’s Mitigations Against CPU Speculative Execution Attack Method
Note – until things settle down the Meltdown tag will give all related posts (as of Jan 2018)