How to Protect Your Devices Against Meltdown, Spectre Bugs

Revelations that security flaws in chips powering PCs, laptops, servers, phones, and other devices have gone unnoticed for years have whipped bug fixers and security experts into a frenzy this week.

in chips powering PCs, laptops, servers, phones, and other devices have gone unnoticed for years have whipped bug fixers and security experts into a frenzy this week.

The flaws, which researchers have code-named Meltdown and Spectre , relate to how a CPU handles tasks that it thinks your PC will need to perform in the future, known as speculative execution. According to Google’s Project Zero security team, in a worst case scenario the flaws could be exploited to reap sensitive information from these commands-in-waiting.

, relate to how a CPU handles tasks that it thinks your PC will need to perform in the future, known as speculative execution. According to Google’s

security team, in a worst case scenario the flaws could be exploited to reap sensitive information from these commands-in-waiting.

The good news is that some patches have already rolled out, but the bad news is that because so many companies are involved–from chip manufacturers to PC makers to operating system companies–figuring out if your computer is fully protected isn’t straightforward. For now, there are a few separate courses of action to follow to fortify your device, depending on which operating system you have. Then there’s the additional step of updating web browsers and other program, which every computer user should do regardless of OS.

Microsoft released a cumulative security update on Wednesday that offers software-level protection against speculative execution, which should roll out automatically to systems running Windows 10. To be sure your computer is up to date, open the Start menu, click the gear icon to open Settings, and click on Windows Update. The patch numbers for the Microsoft fixes can be found here .

Microsoft released a cumulative security update on Wednesday that offers software-level protection against speculative execution, which should roll out automatically to systems running Windows 10. To be sure your computer is up to date, open the Start menu, click the gear icon to open Settings, and click on Windows Update.

Microsoft notes that the mitigations can slow down your computer, most noticeably for systems running older Intel chips from 2015 and before.

While the protection this patch offers is a good first step, your Windows PC won’t be fully protected until a firmware update is applied as well. The availability of such an update depends on the company that manufactured your PC, as well as the chip manufacturer (Intel or AMD). Intel has already provided some patches to manufacturers, and plans to devlop fixes for every one of its chips released in the past five years by the end of January.

AMD has rolled out its own fixes to manufacturers, but it has also downplayed the threat. AMD CTO Mark Papermaster originally said there is a “near zero risk to AMD users.” However, the company later acknowledged the Spectre bug does affect its chips.

AMD has rolled out its own fixes to manufacturers, but it has also downplayed the threat. AMD CTO Mark Papermaster originally said there is a “near zero risk to AMD users.” However, the company later

Owners of Surface laptops and convertibles will get those updates applied automatically through Windows Update once they’re finished, according to Microsoft. If you own a system from a different company, you may need to check for firmware updates using a separate utility, like Lenovo Solution Center or Dell Update.

Another thing to note: Not all Windows PCs initially received the patches. That’s because the fixes can clash with certain antivirus software and cause serious errors. Microsoft is working to address the issue. More information can be found here .

Another thing to note: Not all Windows PCs initially received the patches. That’s because the fixes can clash with certain antivirus software and cause serious errors. Microsoft is working to address the issue. More information can be found

Some older AMD processors are also incompatible with the Microsoft patch, and as a result, haven’t received the fix.

processors are also incompatible with the Microsoft patch, and as a result, haven’t received the fix.

Google’s operating system, primarily found on inexpensive laptops, will be protected against the vulnerability in the Chrome 64 release, which is scheduled to launch later this month. For now, users can enable an experimental security feature in the Chrome web browser called Site Isolation , which provides protection against many different types of malware, including speculative execution.

Google’s operating system, primarily found on inexpensive laptops, will be protected against the vulnerability in the Chrome 64 release, which is scheduled to launch later this month. For now, users can enable an experimental security feature in the Chrome web browser called

, which provides protection against many different types of malware, including speculative execution.

The Android 2018-01-05 Security Patch Level is the first fix for speculative execution, and it is already available as of Thursday. Google’s Pixel phones will receive it automatically, while owners of other Android devices are at the mercy of their device manufacturers and wireless carriers, which decide when updates are rolled out.

To address the Meltdown vulnerability, Apple actually began rolling out patches via updates to iOS, macOS and tvOS starting last month. It released another patch on Jan. 8. Fortunately, the fixes resulted in ” no measurable reduction in the performance of macOS and iOS,” the company said in a statement .

To address the Meltdown vulnerability, Apple actually began rolling out patches via updates to iOS, macOS and tvOS starting last month. It released another

However, Apple is still developing future OS-based safeguards that will address the Spectre vulnerability.

While you’re waiting for Windows Update to finish working or your PC manufacturer to issue a firmware fix, you can still protect your online activity from exposure to the speculative execution vulnerability by fortifying your web browser.

Google Chrome users can enable Site Isolation, as discussed above. Meanwhile, Microsoft Edge and Mozilla Firefox have been updated to increase the time it takes to execute certain Java commands, which should mitigate the issue, according to a Mozilla blog post. Edge updates are rolled into the Microsoft security patch released on Wednesday, while Firefox users can click on About Firefox in the Help menu to see their update status.

Apple has its own fix for the Safari browser that is included in the Jan. 8 patches. According to the company’s benchmark tests, the patch has little or no measurable impact on the browser’s performance, the company said.

See Also : Your smartphone’s compass can protect you from voice hacks

Siri might be laughably incompetent right now, but it’s hard to argue that voice won’t play a substantial role in our future interactions with our smart devices.

right now, but it’s hard to argue that voice won’t play a substantial role in our future interactions with our smart devices.

Unfortunately, voice is one of the easiest things to hack. With an audio sample just a few minutes long, it’s possible for an attacker to simulate your voice convincingly enough to trick both people and high-end voice recognition systems.

Now, however, a team of New York State University engineers has developed a defence against this threat. Using only tools already on smartphones, it can detect machine-based voice impersonation attacks.

“Every aspect of your life is now on your phone,” said Kui Ren, director of the Ubiquitous Security and Privacy Research Laboratory and lead author on a paper describing the defence system that’ll be presented this week in Atlanta at the 37th International Conference on Distributed Computing Systems.

“Every aspect of your life is now on your phone,” said Kui Ren, director of the Ubiquitous Security and Privacy Research Laboratory and lead author on a

describing the defence system that’ll be presented this week in Atlanta at the 37th International Conference on Distributed Computing Systems.

Any attempt to replay your voice to fool a computer system must be broadcast on a speaker, and speakers generate a magnetic field as they operate. Inside your phone, however, is a magnetometer that’s normally used as a compass in navigation apps.

As well as this, the system uses the smartphone’s trajectory mapping algorithm to figure out the distance between the phone and the speaker. By mandating that a user be close to their phone when speaking, it guarantees that the magnetic field will be detected.

Finally, as a third layer of security, the system asks the user to move the phone in front of their mouth while using voice recognition. When a speaker playing a voice recording is moved, the magnetic field will change and the phone can detect it.

“With the Internet of things, what is a security interface? It is not like the phone. There is often no touchscreen or keypad so voice authentication may be useful,” said Ren.

“Technology is advancing so fast; we have to think of different ways. The strategy is using multiple lines of defense. We call that defense in depth.”