Spectre and Meltdown AKA Omnishambles

In 2012, Oxford Dictionaries described Omnishambles thus:

A situation that has been comprehensively mismanaged, characterized by a string of blunders and miscalculations.

So-far the answer to fixing Spectre and Meltdown has been a lot of press releases from Intel as well as the CEO cashing in on stock just before Google Project Zero released its findings (Intel were officially told back in June 2017), some Firmware fixes which were rapidly rolled back because they made computers unstable, and really, not a lot else.

In fact, Intel kept the issue largely to themselves, prompting the formation of a Slack War Room for organisations who were largely in the dark.

Basically these exploits can affect all modern technology, anything with an Intel or AMD chip.

Wired’s article on the subject is detailed and quite interesting if you like that sort of thing.

What do you do then?

So right now, the rule of thumb is the same as for any other computer technology:

  • Back up
  • Install System Updates regularly (or turn on auto-update to make sure they happen)
  • Keep Antivirus up to date

Additionally, MS support has set up a Spectre/Meltdown webpage outlining everything you have to do. It lists computer vendors and links to their web pages on the subject.

Apple too has a page on the subject, as do Linux vendors Ubuntu and RedHat.

Google Chrome fix for Spectre

Google Chrome users get a little help too. According to Google:

“[Site Isolation] makes it harder for untrusted websites to access or steal information from your accounts on other websites.”

According to Mashable, Google says to perform these steps to help mitigate Spectre (which works by exploiting Javascript in web browsers)

  1. Enter this in your Chrome browser address field: chrome://flags/#enable-site-per-process
  2. Enable Strict Site Isolation.

From bean to cup…

And for the final word, I direct you to Linux creator Linus Torvalds, who said (in part):

The whole IBRS_ALL feature to me very clearly says “Intel is not
serious about this
, we’ll have a ugly hack that will be so expensive
that we don’t want to enable it by default, because that would look
bad in benchmarks”.
So instead they try to push the garbage down to us. And they are doing
it entirely wrong, even from a technical standpoint.
I’m sure there is some lawyer there who says “we’ll have to go through
motions to protect against a lawsuit”. But legal reasons do not make
for good technology, or good patches that I should apply.

(emphasis mine)

EDITS 9feb18: fixed ms link so it pointed to the right place.