There is a lot of of hoopla surrounding Spectre and Meltdown, the names given to vulnerabilities that affect practically every processor produced in the past two decades. Without taking a deep dive into the technical details, the short of it is that they could allow an attacker to pluck what was previously considered protected data from your CPU’s cache, including passwords, encryption keys, and other sensitive information.
Security researchers from Google’s Project Zero team discovered the vulnerabilities in 2017 and disclosed them to the public in early 2018. Unfortunately, there is no quick fix, as Spectre and Meltdown are part of the fundamental design of most modern processors. In fact, Intel takes issue with referring to these vulnerabilities as a “bug” or “flaw” in the actual design, though the semantics hardly matter—the bottom line is, your PC is probably affected.
Should you be worried? The good news in all of this is that there are no known exploits in the wild based on Spectre and Meltdown. However, at least two cybersecurity firms have identified proof-of-concept samples based on these vulnerabilities, most likely from security researchers scrambling to stay ahead of the situation.
Nevertheless, it’s a safe bet that attackers will eventually attempt to leverage Spectre and Meltdown. In the meantime, there are some things you can do to protect yourself. The biggest one is to make sure your OS has the latest updates. Microsoft is pretty aggressive about doling out automatic updates to Windows, so most users can sit back and let the OS patch itself. If you want to be proactive, however, manually check for updates to make sure you’re fully patched. The same goes for Linux, Chrome OS, and macOS—Spectre and Meltdown affect all operating systems, not just Windows.
You should also make sure your browsers are all up to date. Google recently updated its Chrome browser to version 64, and it incorporates patches to protect against Spectre and Meltdown. To make sure you’re running the latest build, click on the three vertical dots in the upper-right corner and go to Help > About Google Chrome. This will tell you what version you’re running, and initiate an update if one is available.
In Chrome 63 and later, there is also an experimental feature called Site Isolation that is disabled by default. Turning it on offers additional protection against certain types of web attacks based on Meltdown and Spectre, though it increases Chrome’s memory use by around 10-20 percent. If you’re okay with that, you can turn the feature on by typing chrome://flags into the URL bar, then scroll down to Strict site isolation and press the Enable button. Another way is to type (or copy and paste) chrome://flags/#enable-site-per-process into the URL bar.
There are no special flags in Firefox, Edge, Opera, or Safari. However, you should make sure you’re running the latest version of each. In Firefox, open up the menu and navigate to Help > About Firefox. Updating Opera is similar—click on the menu and select About Opera. Both Edge and Safari are updated by their respective OSes, Windows and MacOS.
One other thing you can do is check for BIOS updates for your motherboard. Several motherboard vendors have begun releasing updated firmware specifically to protect against Spectre and Meltdown. You can check for new BIOS releases by going to your motherboard manufacturer’s website and either looking up your motherboard model, or navigate to the support section.
Given that this is all rather new, it’s a good idea to do some research before applying a BIOS update. Specifically, you want to see if other users have reported any problems with the new BIOS, if one is available. Also, you should only attempt this if you are comfortable updating the BIOS. Otherwise, either skip this step, or have a tech-savvy friend help you. Either way, take note of your current BIOS settings before updating, as they don’t always carry over.
Beyond staying up to date, standard safe computing practices apply—avoid shadier sides of the web, be wary of clicking on links in emails and instant messages, and keep your antivirus software turned on.