Meltdown and Spectre 101: What to Know About the New Exploits

By on Jan 05, 2018

Between the Blueborne vulnerabilities and the High Sierra Mac flaw – we saw some nasty bugs in 2017. Now, 2018 has already introduced us to some powerful new exploits: Meltdown and Spectre. These are cyber-attack techniques that seek to exploit operating system technologies that normally function safely, as designed, but researchers have cleverly identified a way to use these benign technologies for malicious purposes. They basically manipulate the protections that separate applications from operating systems, as well as applications from other applications running on the same computer. They also affect a wide range of devices that we use in our daily lives, including both PCs and phones.

So, how exactly could Meltdown and Spectre have such an impact? First, let’s back up and explore the role they play in operating systems. Most modern operating systems perform speculative execution, and even execute instructions before it is certain that those instructions need to be executed. This makes it possible for one process to infer that some data belongs to another process.

As McAfee CTO Steve Grobman views it, we should think of these vulnerabilities in the sense of modern banking — we rely on banks to perform operations on our behalf, and when we request that a payment is made, our banks will move things around behind the scenes to ensure successful transactions we couldn’t execute as individuals. Just like with banking, we rely on these operating systems to perform services on our behalf, which often involves important data.

Now, what’s dangerous about Meltdown and Spectre is that these attacks can “melt” the barriers between unprivileged applications and the privileged operating system. Essentially, this means pulling back the curtains on all the behind-the-scenes data involved in these services. This allows attackers that leverage Meltdown and Spectre to potentially steal passwords, financial data or information from other applications.

So, the next question is – how do you ensure your devices and data are protected from these exploits? You can start by following these tips:

  • Turn on auto-update. Make sure Windows auto-update is turned on as a best practice, and that you’re connected to the internet so that McAfee auto-update can work too. If Windows auto-update is turned on, there’s nothing else you need to do. But if you manually update Windows, it will succeed no later than Tuesday once McAfee’s auto-update occurs.
  • Update everything immediately. Beyond applying any updates received from Windows, it’s crucial you update everything else too. That way, you can apply any patch you receive from all PC, phone, and mobile app providers that have been affected.
  • Lock down your devices with comprehensive security. McAfee products are not affected by this vulnerability nor the Windows changes that address it. Therefore, after you’ve updated your devices with the latest software, be sure to install comprehensive security. A solution like McAfee LiveSafe can ensure your devices are protected from cybercriminals wishing to leverage this vulnerability in order to steal your personal data.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.


{
"metadata": {
"id": "ff459257-0376-4217-957d-fdf81812d24a8",
"version": "1.0",
"ep": "ta",
"lang": "en-us",
"original-url": "https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/meltdown-and-spectre/",
"author": "Gary Davis",
"author-page": "https://securingtomorrow.mcafee.com/author/gary-davis/",
"category": "Consumer Threat Notices",
"draft": "false",
"authordetail": "Gary Davis is Chief Consumer Security Evangelist. Through a consumer lens, he partners with internal teams to drive strategic alignment of products with the needs of the security space. Gary also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Follow Gary Davis on Twitter at @garyjdavis",
"tinyimage": "https://securingtomorrow.mcafee.com/wp-content/uploads/2017/07/img_1574187893517605.jpg",
"feedimageurl": "https://securingtomorrow.mcafee.com/wp-content/uploads/2018/01/img_1588782481468220.jpg",
"pubDate": "Mon, 31 July 2017 12:35:48 +0000"
}
}

About the Author

Categories: Trusted Advisor

Subscribe to McAfee Securing Tomorrow Blogs