How to protect your PC against the major ‘Meltdown’ CPU security flaw

Details have emerged on two major processor security flaws this week, and the industry is scrambling to issue fixes and secure machines for customers. Dubbed “Meltdown” and “Spectre,” the flaws affect nearly every device made in the past 20 years. The Meltdown flaw only affects Intel processors, and researchers have already released proof of concept code that could lead to attacks using Meltdown.

The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Researchers are already showing how easy this attack works on Linux machines, but Microsoft says it has “not received any information to indicate that these vulnerabilities have been used to attack customers at this time.” "Protecting a Windows PC is complicated"

Protecting a Windows PC is complicated right now, and there’s still a lot of unknowns. Microsoft, Google, and Mozilla are all issuing patches for their browsers as a first line of defence. Firefox 57 (the latest) includes a fix, as do the latest versions of Internet Explorer and Edge for Windows 10. Google says it will roll out a fix with Chrome 64 which is due to be released on January 23rd. Apple has not commented on how it plans to fix its Safari browser or even macOS. Chrome, Edge, and Firefox users on Windows won’t really need to do much apart from accept the automatic updates to ensure they’re protected at the basic browser level.

For Windows itself, this is where things get messy. Microsoft has issued an emergency security patch through Windows Update, but if you’re running third-party anti-virus software then it’s possible you won’t see that patch yet. Security researchers are attempting to compile a list of anti-virus software that’s supported, but it’s a bit of mess to say the least.

A firmware update from Intel is also required for additional hardware protection, and those will be distributed separately by OEMs. It’s up to OEMs to release the relevant Intel firmware updates, and support information for those can be found at each OEM support website. If you built your own PC you’ll need to check with your OEM part suppliers for potential fixes.

If you own a Windows-powered PC or laptop, the best thing to do right now is ensure you have the latest Windows 10 updates and BIOS updates from Dell, HP, Lenovo, or one of the many other PC makers. We’re hoping Microsoft or Intel creates a simple tool (they have a PowerShell script right now) to check protection for both the firmware and Windows updates, but until such a tool is available you’ll need to manually check or get familiar with PowerShell. Here’s a quick step-by-step checklist to follow for now:

Update to the latest version of Chrome (on January 23rd) or Firefox 57 if you use either browser Check Windows Update and ensure KB4056892 is installed for Windows 10 Check your PC OEM website for support information and firmware updates and apply any immediately

These steps only currently provide protection against Meltdown, the more immediate threat of the CPU flaws. Spectre is still largely an unknown, and security researchers are advising that it’s more difficult to exploit than Meltdown. The New York Times reports that Spectre fixes will be a lot more complicated as they require a redesign or the processor and hardware changes, so we could be living with the threat of a Spectre attack for years to come.

Update, 9:15AM ET: Removed links to Intel’s detection tool that a now deleted Microsoft security blog may have incorrectly referenced.

“...Mine’s about a yr newer than yours. Might try it. Just wish there was a way to revert if needed....”

I run a backup with Carbon Copy Cloner before I do any update and save it to an external drive. IF, for any reason, I needed to revert back, I can restore to my previous backup. I’ve never actually had to do it...at least not so far, but I believe it would work if I needed to.
FWIW, my machine is a 27” iMac 2.93 Ghz I7 w/32gb of ram and an updated 2TB hard drive. I’ve had no issues with High Sierra 10.13.2 on this older machine, but like I said, I’m not compiling mountains of hard core raw computer data either...just email, web browsing and real-time streaming of stock data. However, on any given weekday while monitoring the stock markets, I’ll have as many as 7 desktops open at any one given time. I have an another external Asus 27” monitor in vertical mode tied on as well. To date, I’ve not had any stability issues with the OSX.

[[Linux users tend to be more aware of what they are doing.]]

Ha- not me lol- I’m oblivious mostly-

[[or perhaps the OS vendors or open source Linux kernel people will have to do it.]]

That would indicate that we’ll need both an intel patch and os patch? The intel one I believe is what will ‘slow machines down’ some suggest by a possible 50%? (I’ve read anywhere between 5% and 50%)

Ugggh- what a mess-

[[ I think the patching will be in the kernel, but I’m not sure how you stop the potentially malicious behavior]]

I’m Gonna have to watch the linux blogs to see what they are saying about this- I’m wondering that if linux comes up with a patch, if that might be all that is necessary, foregoing the intel patch, if I use only linux for all itnernet activity (although i do dual boot- and use windows 7- but try to not to go online with windows - and only to known good sites only when I do-

[[ think the patching will be in the kernel, but I’m not sure how you stop the potentially malicious behavior.]]

I don’t know much about these things, but it would seem there should be a way to alert whenever an exe or elf is about to execute? But i suppose malicious code attempts to bypass the alerts? Would be nice if there was a fool proof way to prevent all EXE’s and EFL’s from executing without explicit permission from computer owner-

I dropped windows as my online os awhile back because I was always getting redirected when doing searches online and getting sent to malicious sites or compromised sites- and just got sick of always having to secure the os just to be online- now this has happened- and it’s sad hat it’s intel related, not just os related- that changes the game- now even linux may not be as safe as it was-

It’s a shame that people have to ruin other people’s online experiences like with this exploit- We all went for a good many years basically able to enjoy online activities without too much concern, but now we’ve got to deal with it and will be affected by it-

I don’t know much about these things, but it would seem there should be a way to alert whenever an exe or elf is about to execute?

The problem with that is there are dozens or more running normally. So if you have to give permission to each one, there would be a lot of clicking of the "go ahead" button. Some antivirus vendors do a whitelist where they add all the known "good" EXEs or ELFs. But that is difficult to maintain and control. For one thing, anytime you install new SW the list would need to be updated. Also the bad guys know where the list is and may try to change it.

yeah i guess there is no easy solution- I just wonder if we’re getting to a point where hackers can throttle our computers to a point where we’re forced to essentially downgrade the speed because of a vulnerability- how slow will the go? I mean how many times will something like this happen where we’re forced to slow our computers by applying ‘fixes’?

I understand most causal users won’t notice a slowdown but those that depend on a computer for speed, they will be affected more- it’s just aggravating that intel knew about this issue and kept it quiet in order to sell ‘faster computers’ than amd-

Anyways- did you apply the intel patch? Is it out yet? I looked in my windows 7 windows update panel, but didn’t see anything resembling a patch for the issue?

I upgraded my main os linux- hopefully that had the ‘fix’ but I don’t know for sure if it did or not-

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.