Spectre? Meltdown? F*CKWIT? Calm down and make yourself some tea

Don't panic, drink tea, patch early.

Don't panic, drink tea

Within hours of writing my original article about the F*CKWIT Intel CPU flaw (also known as KPTI or KAISER) things moved on quite a lot.

Google’s Project Zero vulnerability research team published technical details of serious security flaws caused by “speculative execution” that they had found not just with Intel chips, but also certain AMD and ARM processors.

Meltdown logoDubbed Spectre and Meltdown (and if you’re loving all these names, you should be aware that there are also cute logos), the attacks could be used to read system memory that *should* have been inaccessible.

In short, an attacker could steal sensitive information such as passwords or encryption keys from your computer’s memory. And because these flaws are in your computer’s chips, it’s not a problem that is particularly easy to properly fix without a hardware fix. Yuck.

The solution? Change the low-level software that speaks to the hardware, as the chips can no longer be trusted to do what they were supposed to be doing.

The good news is that these flaws have been known about - but kept quiet - for some months. That’s how they found the time to create the natty bug logos and consumer-friendly websites discussing the topic. The researchers who discovered the problems disclosed them to chip manufacturers and software vendors, who have been feverishly working on fixes.

So far we simply do not know if the vulnerabilities have been maliciously exploited in the wild.

Here’s what various vendors are saying to their users and customers (note - this is inevitably an incomplete list):

So, what should you be doing about this?

Clearly these are critical security vulnerabilities, but there is not much that consumers can do other than wait for security patches to be released and then apply them as a matter of priority.

In short: Don’t panic, make a cup of tea (coffee is also acceptable), and ensure that you install patches and security updates as they continue to roll out.

FWIW, I don’t drink tea or coffee. But I’m making an exception this morning.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Subscribe: Apple Podcasts | Spotify | Overcast | Stitcher | RSS for you nerds.

Tags: , , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , , , , , ,

12 Responses

  1. Habeas

    January 4, 2018 at 1:26 pm #

    You don’t drink tea or coffee !!! ?

    • Graham Cluley in reply to Habeas.

      January 4, 2018 at 1:34 pm #

      As I explained to someone on Twitter (and I may have covered this on the “Smashing Security” podcast as well..), I have never liked hot drinks. It’s a real problem - especially for a Brit like me. People expect me to drink tea and get upset that I don’t drink tea. Sometimes I have to force myself to accept a cup of tea to calm down the other person, and then pour it in a pot plant.

      • coyote in reply to Graham Cluley.

        January 4, 2018 at 3:31 pm #

        Ha. You know Graham I love tea - black tea with a little bit of milk (there is no such thing as any other kind of tea as far as I’m concerned). But it irritates a certain tract too much that I gave up on it. Of course the fact it’s often rather hot here (last month - yes December and this is nothing new - it was 35 C).

        Funny that you have to boil water to make tea only to dump it. They must be *amazingly calm in emergencies!* Happy New Year to you btw!

  2. Dave

    January 4, 2018 at 2:35 pm #

    So no Apple issues? Do you know anything about their chip maker and why they would not have made similar errors?

    • coyote in reply to Dave.

      January 4, 2018 at 3:32 pm #

      Wouldn’t rule that out just yet … And they use Intel btw.

    • Pezno Fizzeen in reply to Dave.

      January 4, 2018 at 5:41 pm #

      If your “So no Apple issues?” query is prompted by the fact that Apple (as of this writing) hasn’t issued a statement to their customers, there are three points to consider:

      1. As the article says, the list is incomplete.
      2. Apple rarely makes public comments on anything…especially anything having to do with potential vulnerabilities.
      3. If they were to commit to issuing a patch, they would have to specify which systems are affected, or at least say which systems they’re willing to support with the necessary patches. That would force them to take a firm public position that all of the systems they’re not willing to support are essentially obsolete.

      In the past, it has not been customary for Apple to explicitly confirm any forced obsolescence of Apple products. For example, they never explicitly announce that any given version of OS X (now macOS) is no longer supported. They simply stop issuing updates; it’s up to users to figure out that some part of their system is obsolete.

      This is not to say that Apple will remain silent. But unless you’re running the latest hardware and software, you might not like what you hear.

      Apple users should pay close attention to this issue. The fact that Apple hasn’t commented doesn’t mean Apple users are unaffected.

      • coyote in reply to Pezno Fizzeen.

        January 4, 2018 at 7:40 pm #

        I was thinking of that too but you put it much better than I could have so thanks on my behalf.

      • Graham Cluley in reply to Pezno Fizzeen.

        January 5, 2018 at 11:12 am #

        Apple has since issued a statement, and I’ve updated the article to link to it.

    • Graham Cluley in reply to Dave.

      January 4, 2018 at 5:48 pm #

      It appears Apple took steps with macOS 10.13.2 last month to protect against the flaws.

      See https://twitter.com/aionescu/status/948609809540046849

      (And from the sound of things they’ll include more mitigations in an upcoming 10.13.3 update)

      More details here: http://appleinsider.com/articles/18/01/03/apple-has-already-partially-implemented-fix-in-macos-for-kpti-intel-cpu-security-flaw

      • coyote in reply to Graham Cluley.

        January 4, 2018 at 7:41 pm #

        Still of course remembering what Pezno Fizzeen points out is rather wise as Apple tends to operate in the way described.

  3. coyote

    January 4, 2018 at 7:44 pm #

    Now this is interesting: the CVEs according to Red Hat have only impact of ‘Important’. I find that rather odd. From the sound of it this is a lot more than ‘important’. Mind you they might have more information than we do but unless - and it’s certainly possible - it’s an issue of sensationalism (though not entirely of course) then I am quite baffled that they’ve only indicated it being ‘Important’.

  4. coyote

    January 4, 2018 at 9:49 pm #

    For those who use Red Hat based distributions: the CVEs have been patched. For Fedora and CentOS the kernel updates have been pushed already. If you don’t see updates available then as root (for CentOS use ‘yum’ and Fedora uses ‘dnf’ these days but ‘yum’ still works it’s just using dnf itself). No idea on the code formatting here so you’ll have to work that out yourself - the ‘#’ is of course the prompt.

    # yum makecache && yum update

    …should do it. If for some reason not you can try:

    # yum clean metadata && yum update

    (…you shouldn’t need to rebuild cache after cleaning as it should do it itself).

    So far performance hasn’t been bad at all. Still waiting for it to normalise after reboot but it seems might be good. And the box in question is from 2009 too so that’s a relief.

Leave a Reply