Spectre and Meltdown Security Vulnerabilities

By Matt,

January 2018

Last week, a group of security analysts at Google (Project Zero) announced that they had discovered 2 security vulnerabilities to do with computer processors (CPUs). These will affect us and our clients in a number of ways.

What is this?

Meltdown and Spectre are 2 security vulnerabilities affecting, basically, all modern CPUs and therefore almost every computer or device you use.

In short, they allow applications to get access to computer memory that they shouldn't be able to. This means an attacker could potentially get sensitive information from the Operating System (OS) (as happens in the Meltdown vulnerability) or from another program (Spectre).

This is due to a flaw in the design of how modern CPUs work.

What does this mean?

It opens up a whole new way for malicious actors to attack your computer.

Some of this can be fixed in software and most software vendors will be updating their products in the coming days, weeks and months to mitigate some of the issues.

Other vectors for attacks created by these vulnerabilities are much trickier. They may only be completely removed when CPU manufacturers design and manufacture completely new processor architectures. This could be some years off...

Practical things we are doing

We are currently waiting for advice from our main hosting provider. Digital Ocean are monitoring the situation closely and working on/testing patches and updates.

Once we know what their recommendations are, we can start letting our clients know what they (and we) need to do.

There are also some other recommendations we are reading up on, which affect some specific technology we've used on some sites. We will obviously contact anyone affected when we know all the implications.

Practical things you should do

Make sure you update your operating system (MacOS, Windows, iOS, Android, etc...) and your browser (Chrome, Edge, Safari, etc...). Go and check for available updates now and make sure automatic updates are switched on and working if available.

As always, don't install any software, open any email attachments or visit any sites that you don't trust.

All of this is generally good security advice.

Further reading