File photo. (REUTERS/Kacper Pempel )
Revelations that security flaws in chips powering PCs, laptops, servers, phones, and other devices have gone unnoticed for years have whipped bug fixers and security experts into a frenzy this week.
The flaws, which researchers have code-named Meltdown and Spectre, relate to how a CPU handles tasks that it thinks your PC will need to perform in the future, known as speculative execution. According to Google's Project Zero security team, in a worst case scenario the flaws could be exploited to reap sensitive information from these commands-in-waiting.
The good news is that some patches have already rolled out, but the bad news is that because so many companies are involved—from chip manufacturers to PC makers to operating system companies—figuring out if your computer is fully protected isn't straightforward. For now, there are a few separate courses of action to follow to fortify your device, depending on which operating system you have. Then there's the additional step of updating web browsers and other program, which every computer user should do regardless of OS.
Microsoft released a cumulative security update on Wednesday that offers software-level protection against speculative execution, which should roll out automatically to systems running Windows 10. To be sure your computer is up to date, open the Start menu, click the gear icon to open Settings, and click on Windows Update.
Microsoft notes that the mitigations may slow down your computer. "For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer," the company wrote.
While the protection this patch offers is a good first step, your Windows PC won't be fully protected until a firmware update is applied as well. The availability of such an update depends on the company that manufactured your PC, as well as the chip manufacturer (Intel or AMD). Intel said Wednesday that it has already provided some firmware updates to system manufacturers.
Owners of Surface laptops and convertibles will get those updates applied automatically through Windows Update once they're finished, according to Microsoft. If you own a system from a different company, you'll need to check for firmware updates using a separate utility, like Lenovo Solution Center or Dell Update.
For Chrome OS
Google's operating system, primarily found on inexpensive laptops, will be protected against the vulnerability in the Chrome 64 release, which is scheduled to launch later this month. For now, users can enable an experimental security feature in the Chrome web browser called Site Isolation, which provides protection against many different types of malware, including speculative execution.
The Android 2018-01-05 Security Patch Level is the first fix for speculative execution, and it is already available as of Thursday. Google's Pixel phones will receive it automatically, while owners of other Android devices are at the mercy of their device manufacturers and wireless carriers, which decide when updates are rolled out.
For MacOS and iOS
The good news is that unlike on Windows, laptops and desktops running macOS will probably get a single security update that will include both software and firmware fixes, since Apple controls the entire update process for its computers. The bad news is that there's no indication of when such an update will be available; Apple has not commented as of Thursday, and the last macOS update was issued in early December. The same goes for iOS devices.
Web Browser Fixes
While you're waiting for Windows Update to finish working or your PC manufacturer to issue a firmware fix, you can still protect your online activity from exposure to the speculative execution vulnerability by fortifying your web browser.
Google Chrome users can enable Site Isolation, as discussed above. Meanwhile, Microsoft Edge and Mozilla Firefox have been updated to increase the time it takes to execute certain Java commands, which should mitigate the issue, according to a Mozilla blog post. Edge updates are rolled into the Microsoft security patch released on Wednesday, while Firefox users can click on About Firefox in the Help menu to see their update status.