The community forum

Join the conversation

January security update

I recently received the January security update and I would like to know whether the Meltdown and Spectre issues have been addressed.

Lol. Have you done ANY research on why meltdown and spectre are so complicated to fix? This cannot be done with a simple update. Just make sure you don't run any untrustworthy code for the foreseeable future, which includes JavaScript of course.
In answer to your question 'have I done ANY research?' Yes, a little. According to National, tech and trade press the computer industry is scrabbling to resolve these issues and minimise the consequential reduction in performance these fixes are causing in some situations. Intel are about to release firmware updates, Microsoft has released security patches, as have Apple. Linux patches are available. Google have reportedly included Spectre fixes in it's latest Android and Chromebook updates. I simply wondered whether these fixes had been incorporated into the latest Nokia update.

"Note: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of vulnerabilities related to speculative execution in processors, have been publicly disclosed. Android is unaware of any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218 included in this bulletin reduces access to high-precision timers, which helps limits side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM processors."

Yes the whole industry is on their toes. Especially cloud services. Those are the ones who will be most affected. As far as I know there are meltdown exploits in the wild already. Spectre will be there soon too. Probably. Fixes need to be done on the software level, on the OS level as well as processor level. For the first one, fixes are out for some software at least. Firefox was quick here. I recommend using noscript anyways. OS updates in part are out too, yes. ARM however is not so quick here. As far as I know most Cortex are affected but I haven't followed the discussion there. Either way, manufacturers will have to provide BIOS, UEFI updates in many cases. I don't expect ARM architecture to be fixed any time soon. Especially when spectre probably will develop into a cat and mouse game in the next year's - if they don't want to go back to the 90s performance-wise. Your best bet is to not panic, servers are much more the target. And for all malware including meltdown and spectre exploits, please don't run untrusted software (that includes the browser with JavaScript).
Recommending people to turn JavaScript off is not a clever idea, a huge number of interactive websites break if JavaScript is not enabled. JavaScript is required for things like Ajax calls to a server to dynamically update things ie to populate an auto fill box on a web form for an address or an interactive photo album loading images in the fly as required. Turning this off is like browsing the web in black and white.
It was not a recommendation for convenience's sake. The thread starter was worried about serious vulnerabilities. Also, there is thing called "white listing" for all the things you mentioned. This is about not simply letting any code of any website run on your device by default. THAT is how spectre or meltdown (among others obviously) could be exploited.
Login to post a comment