It’s come to light this week that serious security flaws have been discovered in the processors of most modern PCs, laptops, tablets, smartphones, and cloud computers. These bugs allow programs to steal data being processed by other programs running on the device, and could be exploited to extract secrets from running programs, including passwords and personal files.
Meltdown is only known to affect Intel processors, mostly present on desktop, laptop, server, and cloud PCs. It allows applications run by users to access parts of the computer’s memory that should be restricted to the operating system.
Spectre affects almost all modern processors, including Intel, AMD, and ARM chips, present in most modern devices. It allows attackers to trick error-free programs into leaking sensitive information.
More detail
- There are good layman’s news articles at The BBC and The Guardian.
- The UK government has released guidance on the bugs and what to do next.
- The synopsis by the teams which discovered the flaws is surprisingly clear.
Prater Raines’s response
Prater Raines don’t host any data in the cloud. We run our websites and online applications from our own servers at a data centre in Maidstone, and run backups and off-site services from a dedicated server in York.
All of our hardware uses Intel processors and runs Ubuntu Linux. Unfortunately, Ubuntu won’t be patched against Spectre and Meltdown until Tuesday 9 January, so we’ll be running an emergency software update on Tuesday when the patches are released. Your website will be offline for up to half an hour during the day, but we’ll post on Twitter and Facebook before we start the update and on completion.
In the meantime all our servers are kept up to date with recent versions of all software as a matter of course. We isolate network connections using hardware and software firewalls so that only public services can be accessed. Our servers don’t run unnecessary or unsupported applications.
We keep all our laptops and personal devices running up to date software as a matter of course. In addition, we’re keeping aware of available mitigations and have taken all of our suggested actions for end users below.
All of our sites run over HTTPS by default. We’ve confirmed that none of our first-party cookies are accessible from Javascript and we don’t use document.cookie. We send appropriate content type headers for all content, and today added the “nosniff” option to prevent browsers ignoring our content type headers.
We’re working towards the government’s Cyber Essentials security certification, which we expect to achieve later this year.
What you should do now
The most important advice is to keep all of your devices up to date with manufacturer’s updates. Once the security issues have been patched, download and install the updates on each and every PC or phone you use. Remember to check devices used by all family members too.
Unfortunately not all operating systems have a patch to mitigate against the issue yet. If you’re running Windows 7 or above then the update was released on Wednesday, although it’s incompatible with some anti-virus software. Android was patched today, but unless you have a Google Nexus or Pixel branded device, you’re at the mercy of the phone manufacturer and some brands of Android phones don’t appear to have received updates in a long while. Apple has released fixes for at least part of the problem. Linux distributions are expected to release patches by next Tuesday.
You’ll probably also need to update your computer’s firmware (also known as the BIOS). Check the website of your device manufacturer (eg Asus, Acer, Apple, Dell, HP, Lenovo, etc) for help with this. Firmware updates may be a little longer coming and are a little more difficult to install.
In the meantime, try not to worry too much. There are no known exploits taking advantage of the flaw as yet. You can reduce your risk while you’re waiting for a patch by doing all of the following:
- Only download software from trusted sources such as the Play Store, iTunes, or the Microsoft App Store.
- Install any updates for your operating system, installed applications, and firmware as soon as possible.
- Run anti-virus software and keep it up to date.
- Web browsers are far and away the most likely mechanism for malicious code to execute. Make sure your web browser is up to date and, until the bugs are patched in your operating system, enable isolation mode as follows:
- In Chrome, on a phone, tablet, or PC, enter “chrome://flags/#enable-site-per-process” into the address bar and enable “Strict Site Isolation”.
- In Firefox, enter “about:config?filter=privacy.firstparty.isolate” into the address bar and double click on “privacy.firstparty.isolate”.
- Use different passwords for different services.