Riseup Security Bulletin

As you have probably read, there are three related security problems in contemporary CPUs. These vulnerabilities open the potential for a nefarious program to steal passwords, secrets, and personal information from you computer, even if the program is just Javascript loaded from a web site you visit. These vulnerabilities are as serious as they sound, and you should take action to upgrade your software.

* The first flaw, called “Meltdown,” affects nearly all Intel CPUs and has been fixed with updates to most operating systems.

* The two other flaws, called “Spectre,” apply to nearly all CPUs built in the last 20 years, not just Intel, although they are more difficult to exploit. There are no permanent fixes for Spectre available at this time, although if you update your software you will make these attacks much less likely.

You should take *both* these steps now, for all your devices:

(1) Upgrade your web browser (see below). These fixes make the new attacks against CPUs more much difficult.

(2) Upgrade your operating system. There are updates available for Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for Intel CPUs and provide some mitigations for Spectre. Additionally, new releases of iOS and Android have mitigations for Spectre.

Better fixes will continue to arrive in the next weeks/months for your operating system and software. Please keep your system up to date!

Browsers
————————-

By updating your browser, you can make it significantly harder for an attacker to steal secrets off your computer using Javascript loaded from a web site you visit.

Firefox version 57.0.4 and later includes mitigation measures against Spectre attack [1].

Edge has been updated to include Spectre migitations. When you apply the latest Windows update, you will get the new version of Edge.

Safari will be updated very soon, according to Apple. Check the App Store updates.

Chrome will include Spectre mitigations starting with version 64, to be released Jan 23. In the mean time, you can change your configuration to greatly mitigate against the Spectre vulnerability by enabling “site isolation” https://support.google.com/chrome/answer/7623121?hl=en

Additionally, please see https://riseup.net/en/better-web-browsing for instructions on best practices for securing your web experience (which will also help mitigate against these new attacks).

Windows


For Windows 10, you must first upgrade any anti-virus software before upgrading Windows. Failure to do so may make your computer stop working. [2]

To upgrade Windows 10:

> Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.

Now is a good time to enable automatic updates:

> Select the “Start” button, then select “Settings” > “Update & security” > “Windows Update” > “Advanced options” and then under “Choose how updates are installed”, select “Automatic (recommended)”.

If you are running Windows 7 or 8, an update is also available.

macOS


If you already have macOS version 10.13.2 then you are protected against Meltdown [3]. Otherwise, to upgrade macOS:

> Open the App Store app on your Mac. Click “Updates” in the App Store toolbar, then use the “Update” buttons to download and install any updates listed.

Now is a good time to check enable automatic updates:

> Select the Apple menu, then select “System Preferences” > “App Store” > “Automatically check for updates”.

Apple plans to soon release an update to Safari browser to provide some mitigation against Spectre.

iOS


Apple has said that iOS is affected by Spectre, and an update to mitigate against most of the new attacks has been released. If you have iOS version 11.2 or later, then you are good [3]. To check for new updates, go to Settings > General > Software Update.

Android


The bad news is that Android is vulnerable to Spectre and unless you have a Google-branded phone or run a custom firmware you might not get an update for months, if ever. However, the consensus among security researchers at the moment is that the Spectre attack is difficult enough that there are probably easier ways to compromise an Android device. Yeah?

There is one thing you can do now to make your Android device more safe against these new CPU attacks:

* Turn on “site isolation” in Chrome: https://support.google.com/chrome/answer/7623121?hl=en
* Upgrade Chrome Browser after Jan 23.
* Alternately, use Firefox for Android.

Debian/Ubuntu GNU/Linux


Run “Software Center” or “Software Updater.”

Alternately, open a terminal and type:

sudo apt update
sudo apt upgrade
sudo reboot

Fedora GNU/Linux


Open a terminal and type:

sudo dnf –refresh update kernel
sudo reboot

Stay safe, keep strong,
The Riseup Birds

[1] https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/
[2] http://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/
[3] https://support.apple.com/en-us/HT208394

[en] [es] [fr]

Advertisements

One thought on “Riseup Security Bulletin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s