Security update: What you need to know about Meltdown and Spectre

By Elizabeth Jenike, IT Services

By now, you’ve no doubt heard about the Meltdown and Spectre vulnerabilities that researchers have been quietly studying for some time. In early January 2018, these issues dominated the tech news cycle, after several groups of researchers concurrently discovered two chip flaws (named Meltdown and Spectre) that would possibly allow malicious actors access to memory that wouldn’t normally be available.

Both of these vulnerabilities have to do with how specific instructions are handled by processors and how memory is accessed. According to Wired contributor Andy Greenberg, the flaw is present in Intel chips that were introduced in the 1990s - so this flaw is more than 20 years old.

What do you need to know?

an orange melting shield and blue ghost, logos of the Meltdown and Spectre chip flaws

According to Joe Bazeley, assistant vice president for security, compliance, and risk management, at Miami two populations of machines are most likely to be affected and thus should be prioritized as far as patching is concerned:

  1. Computers used mainly for web browsing.
  2. Computers that allow multiple concurrent users.

For these populations, Joe recommended to enable automatic patching so that when Miami issued a fix for the Meltdown and Spectre flaws, computers remained protected. Miami’s information security team deployed patches for Windows users the week of Jan. 22.

So what now? Is it time to run for the hills?

Not quite. Bazeley noted that for normal Windows users (that is, most non-IT staff, faculty, and students), as long as machines were automatically patched during this update window, you have nothing to worry about.

“Wait for the patch to be deployed via the normal processes,” Bazeley said. “If either of the vulnerabilities are turned into meaningful exploits, we will update the time table and send out another announcement about pushing the patch.”

For personal computers, we’ll offer the same advice: Turn on automatic patching so that when companies put out zero-day fixes for these flaws, your machine will be sure to pick them up.

Key takeaways

The main thing to remember in situations like this: Don’t panic. The media has a tendency to sensationalize stories like this, especially in cases where a large number of machines may be affected (such as in the Heartbleed incident that surfaced in April 2014). Software updates are your friend: Enabling automatic patching is the way to prevent both the Meltdown and Spectre vulnerabilities from becoming issues for your system.

There are a few things to remember when it comes to these kinds of heavily publicized incidents. Typically, researchers follow responsible disclosure practices. This means companies are given time to correct issues by patching whatever vulnerabilities exist in their systems before any research is published. These patches are deployed, by multiple companies, on the same day, so that gaps in overall security can be avoided - then, a couple days down the line, researchers release their findings.

In this way, if any malicious actors were so inclined, they would be mostly unsuccessful at exploiting the published vulnerability, since patching would have already taken care of it.

For in-depth information about each of these security issues, you can read the reports generated by researchers at their respective websites:

As always, if you have any questions or concerns about the vulnerabilities, feel free to get in touch with the Infosec team at Infosec@MiamiOH.edu.