How To Protect Your Devices from The Meltdown and Spectre Attacks

The Short Version:

Update your operating system (Windows, Mac, iOS, Android), your web browser, and your computer’s firmware. Do the same for your mobile devices and tablets.

Avoid using sketchy websites, apps, or opening files from sources you don’t fully trust.
Fixes are not yet available for every device, but are being released cautiously by each vendor. Some updates may slightly slow down your device but are necessary to secure your information.

What Are Meltdown and Spectre?

Meltdown and Spectre are two security attacks made public this month. They could potentially allow access to sensitive information such as your passwords and credit card numbers by malicious sites and apps.

Both of these depend on a feature on your device’s processor called Speculative Execution. The processor makes an ‘educated guess’ on what code will run next, so its output is already available when needed. It does this to speed up apps significantly. The output from the speculatively run code is briefly left in cache memory. This causes a vulnerability.

Windows

You need at least Windows 7 or Server 2008 R2 to receive the update. Most computers should have already received the update, but it can fail and you may need to take steps to install get it to install.

    • Windows 10, 8.1, 8, or Server 2012, 2012 R2 or 2016: Should automatically download and install the fix, but this sometimes fails.
      • Click Start > Settings > Update & Security. You should have no updates available if you are up to date. If not, click on Update history or View installed update history to see if it was already installed. Look for KB4056892.
      • If Windows Update fails, you can follow these Windows version-specific steps to troubleshoot it.
    • Windows 7 with Service Pack 1 or Windows Server 2008 R2:
    • Firmware: Check your PC manufacturer’s support website, and download the latest firmware update, if available:
    • Anti-Virus: If your PC has an AMD processor, your antivirus programs may not yet be compatible with the fix/update at the time of this writing
      • If your antivirus and processor combo isn’t compatible, it could prevent Windows from booting.
        • Until your antivirus confirms it is compatible Windows Update won’t install this fix nor any future updates. 
          • You can run the following command, as Administrator, to re-enable updates as long as you don’t have an AMD processor:
            • wmic cpu get name | find /i “Intel” && REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat /v cadca5fe-87d3-4b96-b7fb-a231484277cc /t REG_DWORD /d 0x
              • This checks if your processor is from Intel, then sets your registry so Windows Update knows your computer is compatible with the fix, which allows it and future updates to install
      • Antivirus programs compatible with this fix on AMD processors, at the time of this writing:

Mac

Ensure you have the latest Mac OS High Sierra 10.13.2 update, which was released Dec. 6.

  • To check if you have the fix installed:
    • Click Apple icon in the upper-left, then click About this Mac to see if you have version 10.13.2.
  • To update, if you don’t yet have the fix installed:
    • Click on the App Store in your applications, then click the Update tab and click update your operating system.

Web Browsers

    • Google Chrome version 64 for Windows, Mac, and Android will be released January 23rd, 2018 and contain fixes that reduce susceptibility to these attacks. Chrome for iOS will be updated later by Apple.
      • In the meantime, you can turn on Site Isolation, so that each tab runs in a separate process, instead of all tabs running in one process.
        To turn on Site Isolation in Google Chrome:

        • Copy  chrome://flags/#enable-site-per-process  and paste it into the address bar, above the web page.
        • Click the Enable box next to Strict Site Isolation
    • Firefox version 57 should receive the patch automatically, beginning January 23rd.
    • Microsoft Edge and Internet Explorer 11 browsers have an update available, which should be installed automatically via Windows Update.
    • Safari was updated as part of Apple’s updates to MacOS/OSX and iOS. See Mac or iPhone/iPad, below.

Mobile Devices

The processors in mobile devices are susceptible to the Meltdown attack, but this has not been exploited in the field at the time of this writing, but that may change soon, so you should still be careful and update when possible.

Android Phones and Tablets

Most Android devices will take a while to receive updates. Update Google Chrome for Android on or after January 23rd, 2018, to at least secure your browser as much as possible. Google released an Android update on January 5th, but only Google-branded phones and tablets, such as Nexus 5 or later and Pixel have been updated as of the time of this writing. Other manufacturers, such as Samsung will be releasing updates soon, and we will update this article periodically as they are released.
On devices you use for work—uninstall games and apps from lesser known companies or those not certified by the Play Protect program, from the Play Store.

iPhone, iPad, iPod Touch

The Patch for these flaws is only available as part of the latest iOS 11.2+, which requires an iPhone 5S and newer, iPad Air or iPad Mini 2 and newer, or an iPod Touch 6th generation or newer.

  • To check if you have iOS 11.2 or later:
    • Tap Settings > General > About and look for Version.
  • To update to the latest version:
    • Tap Settings > General > Software Update.

Cloud Servers

The three big cloud providers: Microsoft, Google, and Amazon have all updated their servers to mitigate the risk of these attacks, but you may need to update any virtual servers you host with them if they are not set to update automatically. If you use a smaller hosting company, such as for your website, you should check with them to ensure they have patched their systems, especially if you store sensitive information on them. If you use Amazon Web Services to a host virtual server, you may need to update to a newer virtual machine image manually. The same goes for Azure hosted virtual machines.