How to Handle Meltdown and Spectre on Linux Ubuntu

mteldown-spectre-ubuntu-featured

Meltdown and Spectre are the latest and most widespread vulnerabilities to rear their ugly heads. They hit nearly every computer in the world, and that’s not an exaggeration. But what are they exactly?

Both are core flaws in the way most processors are designed. Meltdown mainly impacts Intel CPUs and some ARM (cellphone) processors. Spectre, on the other hand, affects nearly every processor. To make matters worse, there are two different variations of Spectre that play on different CPU behaviors.

Both Meltdown and Spectre use the intended behavior of modern CPUs to gain access to information stored in the computer’s memory. That information should only be accessible by privileged system processes, but both Meltdown and Spectre bypass any barriers to that information by accessing it through established channels (the CPU) and doing so at the lowest most fundamental levels.

So what exactly does that mean? By using a Meltdown or Spectre exploit, an attacker or malware can snoop on other processes running on your system and steal their information. That means it can access passwords or other sensitive information that’s running through other programs without actually modifying them or installing anything.

Meltdown

When it comes to Meltdown and Spectre, you should be concerned but not freaked out. There haven’t been any documented cases of either exploit actually being used just yet. That means that there’s still time for software and hardware manufacturers to fix these problems before you actually need to worry about being hit by either exploit.

Spectre

Pay attention, though. Right now a race is on. Attackers will be looking for ways to use these exploits against people. At the same time, security researchers and software developers are working on getting patches out to the public to mitigate the exploits. Watch out for news from both fronts.

Ubuntu Spectre Meltdown Progress

First of all, there isn’t much that you can do on your own but watch and wait for updates. Thankfully, there already are a lot of updates available for Ubuntu. You only need to install them.

Note: the same rule applies for most Linux distros. Keep your operating system updated to the latest version, and you should be safe.

Kernels

The kernels available for Ubuntu 16.04, 17.10, and 18.04 have all been patched against Meltdown. If you’re running any of the latest versions of Ubuntu, make sure that you update your system or, at least see that you have the latest available kernel. Restart your system after the kernel is installed to make certain that it is loaded and running.

Compilers

The fix for the second version of Spectre is being implemented through compilers. The compilers can change the way software is built to mitigate Spectre v2.

GCC

GCC

The fix for Spectre v2 has been added to GCC 7.3. Ubuntu hasn’t added it to its repositories as of yet, and they aren’t building their packages with it yet either. Eventually, newer versions of Ubuntu will have packages built with GCC 7.3 or later. Older versions will probably have the fix backported to an earlier version of GCC.

In either case, there isn’t much that you can do here. Trust that Canonical will be quick to remedy the issue. If you build your own software, look out for GCC 7.3 in the repositories or news of the patches being backported.

LLVM

LLVM

The situation with LLVM is very similar to that with GCC. The fixes have been implemented in the LLVM 7 branch, and it hasn’t even been released yet. The LLVM developers have backported patches to LLVM 6 and LLVM 5. There’s actually a good chance that you already have the patches on your system if you’re running either one. Again, look out for updates.

Web Browsers

Web browsers are also involved in this messy equation. Spectre can be exploited through JavaScript. As a result, code on the open Web can actually be used to attack your system with Spectre. Common browsers are being patched to guard against Spectre, though.

Firefox

Firefox

If you aren’t already using the latest version of Firefox, you should be. It’s actually a massive improvement. More than that, Firefox 57.0.4 has been patched against Spectre. It should be available by default in the repositories. If you find yourself unable to install it, grab the generic Linux version from Mozilla, and run it locally until it becomes available.

Google Chrome

Google Chrome

Google patched Chrome 64 against Spectre. That means that both Google Chrome 64 and Chromium 64 should include all necessary patches to mitigate the exploit. If you haven’t already updated your browser, do so.

Meltdown and Spectre are a big problem, but progress is being made. One of the most amazing aspects of the open source community is its ability to adapt. Security issues come and go, and they usually disappear pretty quickly when it comes to open source projects. As long as you keep Ubuntu updated, you shouldn’t need to worry about the effects of Meltdown or Spectre for very long.

Image credit: grid of chips with a red spectre symbol on one of the cpus by DepositPhotos

6 comments

  1. Gee. . .I have been led to believe that nothing would harm Linux in the malware world. I am being very sarcastic, of course. I have always felt that any computer could fall prey to malware. Now, some Operating Systems are more resistant but in the end, they can get malware. Apple products also fall into this category.

    I am really glad that there are methods to eliminate the Meltdown and Spectre Vulnerability for Linux. What is most exciting, the Linux users really only need to keep their updates to prevent this. Wish it was so for the Windows users. . .Sigh. Glad that the 2 most used browsers are taking this seriously and providing updates to prevent Meltdown and Spectre Vulnerability. Nice to know, that they really care about their users (being sarcastic, again).

    • The problem here is not either Linux or Windows. It is with the manufacture’s Processors and firmware. Linux has never said it was invincible, just safer due to how it handles security. I believe in the old adage, “If man can code it, man can hack it”.

  2. I cannot help but wonder since this exposure has been around a long time especially in Intel chips. That someone has not already looked at this flaw and decided its just not attractive enough to pursue. This would definitely be more attractive at the server level then a personal PC. As has been noted, nothing in the wild has been discovered for either Meltdown or Spectre.
    What interest me is Google’s Retpoline solution for Linux which appears at least from Google’s point of view to be less of a hit on performance. Google implemented this on their servers and seem to feel its working well. I’ve convinced myself to basically leave at one one PC alone and not install the patches. My primary a Kaby Lake notebook will get them, but so far I have yet to see any firmware for my Haswell desktop or my AMD A8 motherboard maker Biostar which outright told me the board did not need a bios update because AMD was not affected. This basically tells me a lot of older hardware may never see a bios update to address Spectre.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.

Sponsored Stories