How to protect your PC from the Meltdown and Spectre CPU flaws

How to protect your PC from the Meltdown and Spectre CPU flaws

CCRadmin Uncategorized

A pair of nasty CPU exploits have serious ramifications for home computer users. Meltdown and Spectre let attackers access protected information in your PC’s kernel memory, potentially revealing sensitive details like passwords, cryptographic keys, personal photos and email, or anything else you’ve used on your computer. These are serious flaws. Fortunately, CPU and operating system vendors pushed out patches fast, and you can protect your PC from Meltdown and Spectre to some degree.

It’s not a quick one-and-done deal, though. They’re two very different CPU flaws that touch every part of your operating system, from hardware to software to the operating system itself. Check out PCWorld’s Meltdown and Spectre FAQ for everything you need to know about the vulnerabilities themselves. We’ve cut through the technical jargon to explain what you need to know in clear, easy-to-read language. We’ve also created an overview of how the Spectre CPU bug affects phones and tablets.

The guide you’re reading now focuses solely on protecting your computer against the Meltdown and Spectre CPU flaws.

SECURITY
What you need to know about Meltdown and Spectre (27:28)
How to protect your PC against Meltdown and Spectre CPU flaws
Here’s a quick step-by-step checklist, followed by the full process.

Update your operating system
Check for firmware updates
Update your browser
Update other software
Keep your antivirus active
First, and most important: Update your operating system right now. The more severe flaw, Meltdown, affects “effectively every [Intel] processor since 1995,” according to the Google security researchers that discovered it. It’s an issue with the hardware itself, but the major operating system makers have rolled out updates that protect against the Meltdown and Spectre CPU flaws.

windows update meltdown
Brad Chacos/IDG
Where to update Windows 10.
Microsoft pushed out an emergency Windows patch late in the day on January 3. If it didn’t automatically update your PC, head to Start > Settings > Update & Security > Windows Update, then click the Check now button under “Update status.” (Alternatively, you can just search for “Windows Update,” which also works for Windows 7 and 8.) Your system should detect the available update and begin downloading it. Install the update immediately. We do not recommend manually installing the Windows Meltdown patches if Microsoft hasn’t pushed them to your PC via Windows Update.

Apple quietly worked Meltdown protections into macOS High Sierra 10.13.2, which released in December. If your Mac doesn’t automatically apply updates, force it by going into the App Store’s Update tab. Chromebooks should have already updated to Chrome OS 63 in December. It contains mitigations against the CPU flaws. Linux developers are working on kernel patches. Patches are also available for the Linux kernel.

Check for a CPU firmware update
Core i7-8700K Coffee Lake
Gordon Mah Ung
Intel’s Core i7-8700K CPU is vulnerable to Meltdown and Spectre.
You also need to install CPU microcode/firmware fixes to protect against one of the Spectre variants, which can’t be combated by operating system patches alone. Intel released firmware updates for most of its processors released in the past five years—but the “fix” can cause system instability, reboots, and data loss or corruption.

Intel has identified the root cause but advises that users do not install currently available CPU firmware patches, reversing its earlier guidance. Instead, the company counsels users to wait until new, more stable microcode updates arrive, which are currently being tested by Intel’s hardware partners. The first arrived on February 7, in the form of a new Spectre firmware patch for Intel’s 6th-gen Skylake CPUs.

Microsoft released an emergency Windows patch that disables Intel’s buggy Spectre fix, but it’s an optional update that’s only recommended if you’re encountering system issues. Remember: Backing up your data regularly is one of the most crucial actions you can take on your PC, whether you’re saving the information to a cloud backup service or an external hard drive. If you’re not doing it yet, start doing it today!

Now for more bad news. The operating system and CPU firmware patch combo will slow down your PC, though the extent varies wildly depending on your CPU and the workloads you’re running.

Intel expects the impact to be fairly small for most consumer applications like games or web browsing. Initial testing supports that, and reveals storage speeds can take a significant dip. Microsoft says Windows 10 PCs with Skylake (Core 6xxx series) chips or newer shouldn’t see much performance impact; Windows 10 PCs with 2015-era or older Intel processors “show more significant slowdowns;” and on Windows 7 and 8 systems with older Intel CPUs, Microsoft “expects most users to notice a decrease in system performance.”

PCWorld has tested the patches on a modern Surface Book and an older laptop, both equipped with Windows 10, and the results largely support Microsoft’s claims. Performance degradation is highly task-specific, ranging from negligible to serious impact. In the worst cause, I/O-intensive tasks (like decompressing a file) saw performance drop by a whopping 25 percent on the older laptop.

meltdown spectre
Google/Natascha Eibl
AMD will release CPU firmware updates too, starting with Ryzen, Threadripper, and Epyc processors before moving on to older chips. They’re classified as optional, however, because “differences in AMD architecture mean there is a near zero risk of exploitation” of the Spectre variant that requires firmware updates. Given Microsoft’s warning of post-patch performance slow-downs, Intel’s firmware stability woes, and the optional nature of AMD’s fix, you may want to wait until AMD’s microcode update is tested and benchmark before deciding whether or not to apply it to your system.

Actually getting those firmware updates is tricky, because firmware updates aren’t issued directly from Intel and AMD. Instead, you need to snag them from the company that made your laptop, PC, or motherboard—think HP, Dell, Gigabyte, et cetera. Because of that, patches for individual systems will likely take longer than Intel and AMD’s stated timelines to trickle down to home users. Most prebuilt computers and laptops have a sticker with model details somewhere on their exterior. Find that, then search for the support page for your PC or motherboard’s model number.

Gibson Research’s easy-to-use InSpectre scanning tool can let you know if you’ve installed all the necessary OS and CPU patches on your system.

Update your browser
You also need to protect against Spectre, which tricks software into accessing your protected kernel memory. Intel, AMD, and ARM chips are vulnerable to Spectre to some degree. Software applications need to be updated to protect against Spectre. The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript.

chrome site isolation
Brad Chacos/IDG
Enabling Site Isolation in Chrome 63.
Microsoft updated Edge and Internet Explorer alongside Windows 10. Firefox 57 also wraps in some Spectre safeguards. Chrome 63 made “Site Isolation” an optional experimental feature. You can activate it right now by entering chrome://flags/#enable-site-per-process into your URL bar, then clicking Enable next to “Strict site isolation.” Chrome 64 added more protections when it launched in late January.

On January 8, Apple pushed out updates to iOS 11 and macOS with “security improvements to Safari and WebKit to mitigate the effects of Spectre.”

Update other software
Your browser is the easiest avenue for hackers to attack the Spectre CPU flaw, but other software can potentially fall prey to it as well—especially if the software sinks deep hooks into your operating system’s kernel. Case in point: The GPU display driver for graphics cards. Nvidia released new drivers containing Spectre mitigations for GeForce, Quadro, NVS, and some Tesla hardware shortly after the CPU exploits were revealed, with fixes coming to the remaining Tesla cards and GRID GPUs later in January. Grab the newest Nvidia drivers here, and grab them now if you’re an Nvidia user.

Apply all newly available software updates in the coming weeks, especially if it’s somehow tied to hardware. If your printer, SSD, or system monitoring software pushes out an update, install it.

Keep your antivirus active
Finally, this ordeal underlines how important it is to keep your PC protected. The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But researchers have seen attackers testing these exploits in the wild—and attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer.