Two wide-reaching, chip-level security vulnerabilities, dubbed Spectre and Meltdown, were made public this week. Spectre exploits a chip optimization technique called speculative execution to allow applications to break out of their usual separation and access memory used by other applications. Meltdown allows applications to access low-level kernel memory, which may reveal sensitive data belonging to other programs and to the operating system itself. Here are a few steps to help protect yourself and your enterprise against these flaws:
1. Patch – starting right now.
Patches that mitigate, if not solve, the flaws have already been released for various platforms including some Linux distributions such as Red Hat, Apple operating systems, Windows servers and clients, and Android. Operating system developers may be embarking on major redesigns of their systems to better mitigate the vulnerabilities. Cloud providers will be patching their servers in the weeks ahead. Going forward, keep an eye on the status of patches for Spectre and Meltdown, and continue to update all software and firmware as soon as mitigations become available. These vulnerabilities will demand ongoing vigilance: given the low-level nature of the bugs, a software update will not necessarily protect against all potential variants of the exploits. You can greatly reduce your risk by installing patches in a timely fashion – hackers are lazy and tend to go after the low-hanging fruit of unpatched systems.
2. Implement multi-factor authentication (MFA) whenever possible.
The idea of MFA is to prove your identity in more than one way, like entering your password and a code sent to an app on your smartphone, in case one method is compromised. As Spectre and Meltdown could be exploited to reveal the passwords stored in your browser or password manager, the already-urgent need to implement MFA just became even more urgent. (One researcher of the vulnerabilities posted a chilling video showing how Meltdown can be exploited to reveal the passphrase that unlocks your password manager.) It is still preferable to store passwords in an encrypted volume, like a password manager, rather than in your browser or in a cleartext list, but it is best to do so in combination with MFA.
3. Leverage Google Chrome’s Site Isolation feature.
If you have a different browser of choice, monitor its security updates and enable any features that would mitigate these vulnerabilities as soon as they become available.While your browser normally allows pages from different websites to share a process to improve performance, Site Isolation sandboxes each website into a separate process. This better protects your data from vulnerabilities, including Spectre and Meltdown, that could allow access to data across applications.