down arrowMenu

Information Technology

Meltdown and Spectre

Posted on Monday, January 8th, 2018

The news is full of stories about two recent vulnerabilities that affect CPU hardware in nearly all computers manufactured since 1995, regardless of the operating system being used on the computer.  The vulnerabilities have been given several names, but the two that seem to be sticking the most (and aren't on a naughty words list) are Meltdown and Spectre.

Even though the source of the problem is in the computer hardware, patches are being provided by operating system vendors, e.g., Microsoft, Apple, and various linux distributions.  Here are some details on timing:

  • Apple issued patches for recent versions of MacOS (High Sierra/10.13, Sierra/10.12, and El Capitan/10.11) in December that included fixes for these issues.  Earlier versions of MacOS are not supported and will not have patches created.  Apple OS upgrades are now free and should be applied routinely.
    • Apple issued additional patches on January 8 for MacOS 10.13.2 and iOS 11.2.2 to address Spectre issues.
  • Microsoft released patches late last night, January 4, for these issues.  Those should be available in campus SCCM and WSUS servers soon and should be applied soon thereafter.
  • Linux distributions have or soon will release patches in the form of kernel updates.  These should be applied as soon as they are available.
  • Chrome OS version 63 was released on December 15 and contains Meltdown patches.
  • In some cases, application software vendors, are also providing updates.  The most notable in this category are web browsers (see below).  These updates should also be applied quickly when available.
  • For personally-owned computers at home, you should apply patches as soon as they become available to you.  For Apple, that should have already happened.  For Windows, they should be available as of Friday, January 5.

Web browsers provide a vector by which a computer can fall victim to Spectre.  Information about patches for Spectre for the most common browsers:

  • Mozilla Firefox has been updated to 57.0.4 to guard against Spectre attacks. The ESR version 52 of Firefox was less susceptable to Spectre to begin with.
  • Microsoft Internet Explorer and Edge browsers had patches included with other Microsoft patches on January 4.
  • Apple Safari was updated to 11.0.2 on January 8.  This version contains patches for Spectre for two older versions of MacOS (Sierra/10.12 and El Capitan/10.11).  The supplemental update for High Sierra 10.13.2 addressed Spectre for that MacOS version.
  • Google Chrome browser is scheduled for updates when Chrome OS 64 is released on January 23. In the meantime, an optional feature called Site Isolation can be enabled in the Chrome browser

There have been published reports about the performance impact of these *required* patches, some touting a 30% reduction.  Those are absolute worst-case situations.  The performance impact on a typical end-user workstation should be negligible.