Meltdown and Spectre 101: What to Know About the New Exploits

By on Jan 05, 2018

Between the Blueborne vulnerabilities and the High Sierra Mac flaw – we saw some nasty bugs in 2017. Now, 2018 has already introduced us to some powerful new exploits: Meltdown and Spectre. These are cyber-attack techniques that seek to exploit operating system technologies that normally function safely, as designed, but researchers have cleverly identified a way to use these benign technologies for malicious purposes. They basically manipulate the protections that separate applications from operating systems, as well as applications from other applications running on the same computer. They also affect a wide range of devices that we use in our daily lives, including both PCs and phones.

So, how exactly could Meltdown and Spectre have such an impact? First, let’s back up and explore the role they play in operating systems. Most modern operating systems perform speculative execution, and even execute instructions before it is certain that those instructions need to be executed. This makes it possible for one process to infer that some data belongs to another process.

As McAfee CTO Steve Grobman views it, we should think of these vulnerabilities in the sense of modern banking — we rely on banks to perform operations on our behalf, and when we request that a payment is made, our banks will move things around behind the scenes to ensure successful transactions we couldn’t execute as individuals. Just like with banking, we rely on these operating systems to perform services on our behalf, which often involves important data.

Now, what’s dangerous about Meltdown and Spectre is that these attacks can “melt” the barriers between unprivileged applications and the privileged operating system. Essentially, this means pulling back the curtains on all the behind-the-scenes data involved in these services. This allows attackers that leverage Meltdown and Spectre to potentially steal passwords, financial data or information from other applications. What’s more – cybercriminals are attempting to leverage these exploits in other ways too, as a fake patch is currently being circulated that is actually a front for a malware called Smoke Loader.

So, the next question is – how do you ensure your devices and data are protected from these exploits? You can start by following these tips:

  • Turn on auto-update. Make sure Windows auto-update is turned on as a best practice, and that you’re connected to the internet so that McAfee auto-update can work too. If Windows auto-update is turned on, there’s nothing else you need to do. But if you manually update Windows, it will succeed no later than Tuesday once McAfee’s auto-update occurs.
  • Update everything immediately. Beyond applying any updates received from Windows, it’s crucial you update everything else too. That way, you can apply any patch you receive from all PC, phone, and mobile app providers that have been affected.
  • Go straight to the source. The phony patch carrying Smoke Loader comes from a fake website claiming to be part of the German Federal Office for Information Security. So, in order to avoid this fake patch and others like it, always be sure to only go straight to source – meaning, go directly to the site of your provider.
  • Lock down your devices with comprehensive security. McAfee products are not affected by this vulnerability nor the Windows changes that address it. Therefore, after you’ve updated your devices with the latest software, be sure to install comprehensive security. A solution like McAfee LiveSafe can ensure your devices are protected from cybercriminals wishing to leverage this vulnerability in order to steal your personal data.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

About the Author


McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

  1. Thanks ,would like more Defender is used somewhat by a rated greater Mcafee Installment:Does Defender Pro go best as 10year purchase and yet have evident greater buying as large cost Mcaffe towards business?Otherwise why invest?

  2. Wow, I love the suggestion that security experts provide a fake target for hackers through which they can upload a virus to wipe clean THEIR computers! Great idea! They deserve some of their own medicine.

  3. Does mcafee livesafe still protect you against hackers on your pc and phone. I am asking because I think I may have been hacked.

    • McAfee LiveSafe should have you covered! But we’d need more detail to help you out with anything. Make sure you update your Windows/Phone operating system RIGHT AWAY, though. Microsoft and other providers have released important updates that are compatible with McAfee LiveSafe to protect you. Here’s a link with more information:

  4. Thanks for the heads-up alert; that’s a nice service you offer. Based on your advice, it looks like I’ll be alright with auto Windows update and McAfee security. The best to you all.

Subscribe to McAfee Securing Tomorrow Blogs