What are Meltdown/Spectre?
‘Meltdown' and 'Spectre' are two security flaws affecting microprocessors. Actions that would have normally been difficult for an attacker, such as recovering passwords, are theoretically easier.
However, an attacker would still need to run code on your device. Access would typically be gained via well-known means, such as phishing attacks or browsing malicious websites.
What are the vulnerabilities?
Processors in most devices employ a range of techniques to speed up their operation. The Meltdown and Spectre vulnerabilities allow some of these techniques to be abused, to obtain information about areas of memory not normally visible to an attacker.
What do I need to do?
The NCSC advises you to patch your devices and applications as soon as updates become available. We also recommend that home users enable automatic updates so that future security measures are installed for you. There is no reason to dispose of your device.
Most devices - from smartphones to home computers - may be vulnerable to some extent. The major operating system vendors have produced patches which mitigate the issues. You should install these as soon as possible.
As well as updating your operating system (e.g. Windows, Apple iOS etc…) you may need to apply patches specific to your devices. Details of the patches are typically available on the manufacturer’s website. Applications such as web browsers and office productivity software may also need patching. Major vendors are starting to make these available.
Windows users should note that you may need to update antivirus products before you can successfully install the Windows update that addresses these vulnerabilities. Microsoft’s information about antivirus products affecting application of the Windows update can be seen here and in the table below.
While not specific to this vulnerability, now is a good time to the implement basic cyber hygiene measures that make it harder for potential attackers to compromise your device. This includes using strong passwords, backing up data and using two-factor authentication. Further information can be found at Cyber Aware and on GOV.uk.
Will my old device be patched?
Device and platform manufacturers are releasing updates to supported products, which will mitigate this issue. We recommend that you check on the manufacturer’s website whether your device is still supported. Older devices may no longer be supported, making them vulnerable to the effects of Meltdown, Spectre and other potential flaws that may be uncovered in the future.
Device manufacturers have been issuing advice for their customers, a selection of which can be seen below: