Meltdown and Spectre are the latest and most widespread vulnerabilities to rear their ugly heads. They hit nearly every computer in the world, and that’s not an exaggeration. But what are they exactly?
Both are core flaws in the way most processors are designed. Meltdown mainly impacts Intel CPUs and some ARM (cellphone) processors. Spectre, on the other hand, affects nearly every processor. To make matters worse, there are two different variations of Spectre that play on different CPU behaviors.
Both Meltdown and Spectre use the intended behavior of modern CPUs to gain access to information stored in the computer’s memory. That information should only be accessible by privileged system processes, but both Meltdown and Spectre bypass any barriers to that information by accessing it through established channels (the CPU) and doing so at the lowest most fundamental levels.
So what exactly does that mean? By using a Meltdown or Spectre exploit, an attacker or malware can snoop on other processes running on your system and steal their information. That means it can access passwords or other sensitive information that’s running through other programs without actually modifying them or installing anything.
Should You Be Concerned?
When it comes to Meltdown and Spectre, you should be concerned but not freaked out. There haven’t been any documented cases of either exploit actually being used just yet. That means that there’s still time for software and hardware manufacturers to fix these problems before you actually need to worry about being hit by either exploit.
Pay attention, though. Right now a race is on. Attackers will be looking for ways to use these exploits against people. At the same time, security researchers and software developers are working on getting patches out to the public to mitigate the exploits. Watch out for news from both fronts.
What You Can Do to Prevent Meltdown and Spectre on Linux Ubuntu
First of all, there isn’t much that you can do on your own but watch and wait for updates. Thankfully, there already are a lot of updates available for Ubuntu. You only need to install them.
Note: the same rule applies for most Linux distros. Keep your operating system updated to the latest version, and you should be safe.
The kernels available for Ubuntu 16.04, 17.10, and 18.04 have all been patched against Meltdown. If you’re running any of the latest versions of Ubuntu, make sure that you update your system or, at least see that you have the latest available kernel. Restart your system after the kernel is installed to make certain that it is loaded and running.
The fix for the second version of Spectre is being implemented through compilers. The compilers can change the way software is built to mitigate Spectre v2.
The fix for Spectre v2 has been added to GCC 7.3. Ubuntu hasn’t added it to its repositories as of yet, and they aren’t building their packages with it yet either. Eventually, newer versions of Ubuntu will have packages built with GCC 7.3 or later. Older versions will probably have the fix backported to an earlier version of GCC.
In either case, there isn’t much that you can do here. Trust that Canonical will be quick to remedy the issue. If you build your own software, look out for GCC 7.3 in the repositories or news of the patches being backported.
The situation with LLVM is very similar to that with GCC. The fixes have been implemented in the LLVM 7 branch, and it hasn’t even been released yet. The LLVM developers have backported patches to LLVM 6 and LLVM 5. There’s actually a good chance that you already have the patches on your system if you’re running either one. Again, look out for updates.
If you aren’t already using the latest version of Firefox, you should be. It’s actually a massive improvement. More than that, Firefox 57.0.4 has been patched against Spectre. It should be available by default in the repositories. If you find yourself unable to install it, grab the generic Linux version from Mozilla, and run it locally until it becomes available.
Google patched Chrome 64 against Spectre. That means that both Google Chrome 64 and Chromium 64 should include all necessary patches to mitigate the exploit. If you haven’t already updated your browser, do so.
Meltdown and Spectre are a big problem, but progress is being made. One of the most amazing aspects of the open source community is its ability to adapt. Security issues come and go, and they usually disappear pretty quickly when it comes to open source projects. As long as you keep Ubuntu updated, you shouldn’t need to worry about the effects of Meltdown or Spectre for very long.
Image credit: grid of chips with a red spectre symbol on one of the cpus by DepositPhotos