Go Update Your Kernel... Yesterday
The thing about vulnerabilities is that there’s always a new one to mitigate. While Linux does not suffer the same virus and worm threats that Windows does, it’s by no means invulnerable. The great thing about running Linux, though, is that you can update
By using package managers, users can quickly update their systems with a few keystrokes. The problem with this model is that unlike Windows, Meltdown and Spectre are both hardware vulnerabilities. Until Intel and AMD correct the vulnerabilities in hardware, users will have to rely on software fixes. Unfortunately, the mitigation strategies employed by the kernel developers result in the slower execution of code. That means slower desktop applications for the end user. It really sucks, but it’s the cost of security.
What this means to the end user is that code will run a bit slower on Linux until better fixes or architectures have been developed. But for now, the big task at hand is to make sure you update your kernel. As of this writing, kernel 4.15 has been released, which includes patches to address Spectre and Meltdown vulnerabilities.
You may not have to upgrade to 4.15 to get the relevant security patches. Ubuntu, for example, released backported patches for kernels 3.13 (Ubuntu 14.04), 4.4 (Ubuntu 16.04), and 4.13 (Ubuntu
This system running kernel 4.15 is still vulnerable. 17.10). Ubuntu 18.04 will ship with a version of kernel 4.5 in April.
Kernel 4.15 doesn’t fix everything that’s wrong with your system, though. At the time of writing, my Arch laptop running kernel 4.15 is still vulnerable to Spectre Variant 1. For now, there is no mitigation for that particular vulnerability. Spectre Variant 2 and Meltdown (Variant 3) are both mitigated, however. Of course, it may be worth your while to grab kernel 4.15 for its features and other bugfixes.
The fun doesn’t end with kernels, either. User-space applications that are capable of running untrusted code are possible vectors for attack. Some users may think, “Pshaw, I don’t run code I don’t trust!” The fact of the matter is that normal people run untrusted code all the time. JavaScript is executable code that can be run from any website, without explicitly trusting the site. While more sketchy websites are more likely to serve malicious code, even trusted sites can serve up malicious code through ads. The mitigation measure is—you guessed it—an update to your software.
The only problem I see with Linux folks is that unlike Windows 10, Linux won’t hold your hand. For many Linux distributions, updating is left up to the user, which means that a system could go unpatched for a long time. As annoying as Windows 10’s automatic updates are, the one advantage is that Windows systems stay up to date.
If your distribution doesn’t have an automatic update application, I highly suggest running an update manually on a weekly basis. (Some rolling-release distributions don’t use automatic updates because they can break a system.) Often, an update takes only a couple dozen keystrokes at most, and can be completed in minutes.
After updating the OS and kernel, what is a worried Linux user to do? Unfortunately, there’s not much to do. Like I said before, the Spectre and Meltdown vulnerabilities exist mainly as hardware flaws. Since the hardware is the root cause of this evil, updates to hardware will lift all OS boats. Until CPUs are engineered to mitigate these exploits, all we can do is keep our systems updated and suck up the performance hits.
There is a script on GitHub that can let you know if you are vulnerable, and which variant you’re vulnerable to: https://github. com/speed47/spectre-meltdownchecker. To run the script, download it with git ( directory ( ), and then run the script
).
(
), change
into the Alex Campbell is a Linux geek who enjoys learning about computer security.