Spectre and Meltdown Security Vulnerabilities
Last week, a group of security analysts at Google (Project Zero) announced that they had discovered 2 security vulnerabilities to do with computer processors (CPUs). These will affect us and our clients in a number of ways.
What is this?
In short, they allow applications to get access to computer memory that they shouldn't be able to. This means an attacker could potentially get sensitive information from the Operating System (OS) (as happens in the Meltdown vulnerability) or from another program (Spectre).
This is due to a flaw in the design of how modern CPUs work.
What does this mean?
It opens up a whole new way for malicious actors to attack your computer.
Some of this can be fixed in software and most software vendors will be updating their products in the coming days, weeks and months to mitigate some of the issues.
Other vectors for attacks created by these vulnerabilities are much trickier. They may only be completely removed when CPU manufacturers design and manufacture completely new processor architectures. This could be some years off...
Practical things we are doing
We are currently waiting for advice from our main hosting provider. Digital Ocean are monitoring the situation closely and working on/testing patches and updates.
Once we know what their recommendations are, we can start letting our clients know what they (and we) need to do.
There are also some other recommendations we are reading up on, which affect some specific technology we've used on some sites. We will obviously contact anyone affected when we know all the implications.
Practical things you should do
Make sure you update your operating system (MacOS, Windows, iOS, Android, etc...) and your browser (Chrome, Edge, Safari, etc...). Go and check for available updates now and make sure automatic updates are switched on and working if available.
As always, don't install any software, open any email attachments or visit any sites that you don't trust.
All of this is generally good security advice.
- The Meltdown and Spectre sites have some pretty good info and FAQs (aside—Security Vulnerabilities get their own branding/cool name now)
- Google's Project Zero original announcement—quite techy but some good info
- Google answering some common questions about Meltdown and Spectre—Specific to how it affects Google users
- An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience—A pretty good analogy from Cloudflare of how CPUs work and how this has lead to the vulnerabilities