Don’t have a Meltdown, just patch your devices
By now, most people have heard about Meltdown and Spectre, the nicknames for security flaws that make computers and other devices dating back to 1995 vulnerable to attacks.
But they may not know what do about it. Google’s Project Zero team clued the public in on these holes this week and since then, Apple, Microsoft and others have chimed in that their software needs to be updated with available patches.
“Patch as soon as you can and not just your computer. These vulnerabilities can affect phones and devices like routers at home,” advised Ryan Sommers, manager of threat research for cybersecurity firm LogRhythm in Boulder. “You wouldn’t necessarily know that you’ve been attacked just because your computer slows down, but after your bank account is drained.”
The bugs take advantage of processors from Intel Corp., AMD and ARM that handle millions of instructions per second. The flaw relies on a very small moment of time when a chip predicts what task must be done but then realizes it wasn’t needed, so it reverts. But in that brief moment — called speculative execution — malicious software can gain access to passwords, encryption keys and other data stored in the device’s memory.
Intel said it has not noticed any performance issues. And there are no reports yet of exploited security holes. Hardware and software makers are still scrambling to offer updates. And some antivirus software is preventing updates from installing, causing Microsoft to tell users to check with those
companies first.
Broomfield-based Webroot said its SecureAnywhere antivirus software is compatible and the update can be downloaded at Webroot Knowledge Base. It also will issue an automatic update next week.
The good news for consumers is that this impacts billions of devices, so the industry is working on fixes for businesses and consumers.
“If there’s a takeaway to be had, particularly for local businesses, it’s that everyone is on relatively equal footing with respect to these flaws. This is not a doomsday event,” said Keith McCammon, chief security officer and co-founder of Red Canary in Denver. “The information security community in Colorado is sizable and capable, and it shouldn’t be hard to find help or information if either is needed.”