Technical guide: Meltdown and Spectre security vulnerabilities

Overview

Meltdown and Spectre are two recently-disclosed vulnerabilities present in many modern CPUs. These vulnerabilities may allow an untrusted webpage or client process to completely compromise the computer.  Complete compromise could allow password theft, document theft, document deletion, malware installation, and other malfeasance.

This document contains technical information about the scope, impact, and mitigation of these vulnerabilities.

Write-ups

Vulnerability Impact table

CPU Vendor Meltdown Spectre
Intel Information disclosure, privilege escalation Information disclosure
AMD No vulnerability identified at this time Information disclosure (low risk)
ARM No vulnerability identified at this time Information disclosure
Others See list here:  https://spectreattack.com/#faq-advisory

Mitigation

For full mitigation, users may need all of the following:

  1. BIOS/UEFI update
  2. OS Update
  3. Application update

 

BIOS/UEFI update

BIOS/UEFI is the motherboard-level machine code that runs before the OS starts. This code determines which storage device to boot from, which optional hardware should be enabled, which video card to initialize first, and other pre-OS configuration settings.  This functionality is also know as "Firmware" or "CMOS setup".  Computer manufacturers are aware of the issue and are working on new BIOS/UEFI updates, but may not have "fixed" code for all models at the moment.  BIOS updates that address this issue should have date stamps after Jan 3rd, 2018.

Note that using the wrong BIOS update can brick your computer.  BIOS updates should be performed by staff who are familiar with (or responsible for) the computer's hardware.

BIOS/UEFI code for Intel CPUs are affected by both Meltdown and Spectre. 
BIOS/UEFI code for AMD CPUs is not currently known to be affected by Meltdown, but is partially vulnerable to Spectre.

Dell:  https://www.dell.com/support/drivers
HP:  https://support.hp.com/ca-en/document/c00042629

AMD Athlon CPU Note

Computers with AMD Athlon processors (pre-2006) may not be compatible with the Windows Update for Meltdown.  Windows users with AMD Athlon Processors should not apply the Jan 3rd update at this time.  We will update this guidance as the situation develops.

 

OS Updates

Windows

Windows Version KB Number
Win10 1709 Fall Creators Update 4056892
Win10 1703 Creators Update 4056891
Win10 1607 Anniversary Update 4056890
Win10 1511 4056888
Win10 Original Edition 4056893
Win 8.1 4056895
Win 7 4056894

Other Windows versions (including server versions) are addressed here:  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

Mac

  • Mac users should update to macOS 10.13.3 today (High Sierra update 3)

RedHat Linux

Other OSes

 

Application Updates

Firefox/Chrome

 

 

 

Details

Article ID: 45829
Created
Fri 1/5/18 9:42 AM
Modified
Wed 1/31/18 12:14 PM