The Challenge of Meltdown and Spectre
The twins bugs of Meltdown and Spectre are a once in a career event for security pros.
Most bugs are found quickly – these have been around for 20+ years.
Most bugs affect one hardware platform like Intel or AMD or are not related to any specific hardware device. Spectre affects every modern computing processor from the highest end Intel chip to the ARM chips powering all phones.
Most bugs affect one operating system such as Windows or iOS. These bugs affect Windows, MacOS, Linux and other operating systems.
Finally, most bugs are relatively easily fixed once they are found. Spectre requires, basically, new chip designs to truly fix them.
Worse yet, researchers wrote about these problems in 1992. At the time people figured this was too hard to exploit so no one would try. We have already seen proof of concept exploits on the web.
In general, the Meltdown bug is fixable in software; to completely fix Spectre requires changes to the hardware, but software changes will make exploiting Spectre more difficult.
I am pretty diligent about applying patches, so I figured I was protected at least against Meltdown and possibly against Spectre.
Today I installed InSpectre (available at https://www.grc.com/inspectre.htm ) . After running it, I received this message (note there is a lot of explanatory commentary when you scroll down):
I was pretty surprised.
I checked to see if I had any pending updates and I did not. I looked at the updates that had been installed and the January cumulative update had not been installed, but I could not see any reason why.
I eventually did find a link to download it manually and was able to install it. The install went perfectly and did not exhibit any of the negative symptoms (like a blue screen of death) that some users had experienced early on.
After installing the patch, I ran InSpectre again and got this message:
So I guess I am making progress, but it is not complete.
This free utility written by long time security industry expert Steve Gibson is free on his web site; you might want to see if you are really protected. Or not.
by 