Meltdown and Spectre

At the end of 2017 two important vulnerabilities have been discovered, Meltdown (CVE-2017-5754) und Spectre (CVE-2017-5753, CVE-2017-5715). These are based on design choices of certain CPU architectures, most notably in Intel, AMD and certain ARM and NVidia CPUs. The vulnerabilities are critical for your data:

  • Meltdown lets a normal user peek into the memory where the operating system resides and steal credentials and other information there.
  • Spectre allows code to break out of sandboxes, for instance Javascript. In web browsers that would allow a website to sniff your bookmarks and passwords from memory and send it back to the website.

Fixing them requires changes in the BIOS (CPU microcode), operating system as well as all engines that run remote code such as Javascript in browsers.

This topic should help you to find out if your computer is vulnerable and how to update it. Update instructions are available for Linux, Windows, macOS, Android and iOS. If you have problems updating your system then please contact our service desk.

Please note that the available fixes do not address all aspects of the vulnerabilities. There are likely more updates coming. We will attempt to keep this topic up to date, please check back regularly.

Meltdown

The Meltdown vulnerability requires an operating system or kernel update. Please check the table below for the OS of your devices.

OS Safe Version How to verify
macOS High Sierra 10.13.2 Apple menu About This Mac.
macOS Sierra 10.12.6 Apple menu About This Mac.
macOS El Capitan 10.11.6 Apple menu About This Mac.
iOS 11.2.2 General » Software Update in Settings app.
Android 2018-01-05 security patch About Phone » Android security patch level in Settings app.
Windows 10 KB4056890 (1607) or KB4056891 (1703) or KB4056892 (1709) Click on Start, type Installed Updates and choose View installed updates. Type the KB number in the top right search box. One of the KBs should be installed.
Windows 8.1 KB4056895 Click on Start, type Installed Updates and choose View installed updates. Type the KB number in the top right search box.
Windows 7 sp1 KB4056894 Click on Start, type Installed Updates and choose View installed updates. Type the KB number in the top right search box.
Ubuntu 17.10 4.13.0-25.29 Run uname -r (running kernel) or dpkg --list | grep linux-image (installed kernels) on command line
Ubuntu 16.04 4.4.0-109.132 Run uname -r (running kernel) or dpkg --list | grep linux-image (installed kernels) on command line
Fedora 27 4.14.11 Run uname -r (running kernel) or rpm -q kernel (installed kernels) on command line
Fedora 26 4.14.11 Run uname -r (running kernel) or rpm -q kernel (installed kernels) on command line
Red Hat Enterprise Linux 7 3.10.0-693.11.6 Run uname -r (running kernel) or rpm -q kernel (installed kernels) on command line
Red Hat Enterprise Linux 6 2.6.32-696.18.7 Run uname -r (running kernel) or rpm -q kernel (installed kernels) on command line

Spectre

The Spectre vulnerability is a problem if code is run that comes from untrusted sources, most notably all browsers.

Microcode and BIOS Upgrades

The microcode of the CPU must be updated for all affected CPUs. The updates provide additional functionality that is required for resolving the Spectre issue.

The update can come in form of a BIOS update or in case of Linux as files that can be updated in the operating system.

For BIOS updates please consult the vendor of the motherboard of your computer.

The current information is that Intel will only provide fixes for CPUs that were introduced five years ago or newer. Systems running older CPUs will not get a fix and should be retired.

Browsers

Please verify that the browsers you use are up to date:

Browser OS Safe Version How to verify
Safari macOS 11.0.2 Menu Safari » About Safari when running the Safari browser
iOS 11.2.2 General » Software Update in Settings app
Firefox Ubuntu 57.0.4 Menu » Help (blue question mark in main menu) » About Firefox
Fedora 57.0.4 Menu » Help (blue question mark in main menu) » About Firefox
Windows 57.0.4 Menu » Help » About Firefox
Red Hat Enterprise Linux 52 ESR Help menu (blue question mark in main menu) » About Firefox
Chrome any 64 See below for mitigation for older versions

For the time being please refrain from using browsers that are not in the above list.

Chrome Broswer

While updates for Chrome are not out yet, there is a setting that mitigates the problem. Copy-paste the following URL in the Chrome address bar and enable Strict site isolation:

chrome://flags/#enable-site-per-process

Page URL: https://isg.inf.ethz.ch/bin/view/Main/NewsSecurityMeltdownSpectre
2019-09-18
© 2019 Eidgenössische Technische Hochschule Zürich