By now you have likely heard of the security vulnerabilities known as "Meltdown" and "Spectre." The purpose of this blog post is to give you a brief description of these vulnerabilities and what you need to do to mitigate the associated risks.
Let's discuss Meltdown first. Meltdown is the name given to a CPU (central processing unit; basically the microchip that runs your computer) design flaw that affects the security boundaries enforced by the CPU or processor. It essentially breaks down the boundary that separates user applications from accessing privileged system memory space. The Meltdown vulnerability is confirmed to exist in all Intel processors since 1995, except for Intel Itanium and Intel Atom before 2013. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP, and Lenovo.
Spectre is similar but different in some important ways. Spectre is the name given to a CPU design flaw that allows an attacker to utilize a CPU's cache channel to read arbitrary memory from a running process. Unlike Meltdown, Spectre can only read memory from the current process, not from kernel or system memory. Also, unlike Meltdown, Spectre is confirmed to affect Intel, AMD, and ARM processors. This includes computers, tablets and smartphones made by popular vendors such as Apple, Microsoft, Dell, HP, Google, and Lenovo. The relatively good news is that it is much more difficult to successfully exploit Spectre and the attack surface is limited to user space processes, e.g. web browsers, desktop applications.
There's two important things that we want you to know about these vulnerabilities. If you remember nothing else, remember this:
1.) Don't panic. While these vulnerabilities are widespread and definitely very bad, there is no need to panic. There's no need to go buy a new computer or go back to using pen and paper. You may read some very scary media reports about the potential impacts of these vulnerabilities. This is common when widespread vulnerabilities are announced.
2.) Keep your software up-to-date. This is good cyber-hygiene no matter the circumstance. This includes your operating system (Windows, MacOS, Linux, iOS, and Android), your browser (Microsoft Edge, Google Chrome, Firefox, Safari), and your browser plug-ins. Vendors are working very hard to produce software to mitigate the risks of these vulnerabilities. Make sure you install these updates when they are available.
If you have any questions about how to make sure that you're running the latest software, call the IT Support Center at 202-994-4948 or e-mail ithelp@gwu.edu.
Want to learn more? Check out the following:
Apple announcement: https://support.apple.com/en-us/HT208394
Simple, brief write-up by security researcher Daniel Miessler: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/
Vulnerability website: https://spectreattack.com/