Some of you may have learned about Meltdown And Spectre, a set of critical security flaws that affect virtually all modern computing devices. This includes the one you are looking at right now, the one I'm writing this on, and the one that delivered and hosts this publication. Let's see what it is, what it is not and what should we do next.
Meltdown-
Meltdown is a critical security flaw that lies deep within the actual processor's design. Let's not go too deep in the details and go straight to what it does. This flaw can be used to read the content of the RAM. Why should you care? Your RAM contains lots of content. A video you watch online, your desktop, your notifications and, well, everything else. Everything depends on what you do. But if you have your Internet Browser open, it has loaded in the RAM your ID you have saved and tons of other personal information you do not want to be accessed by some hacker (or government if that concerns you). The RAM contains the stuff you are using now (games, documents...) along with cached processes you are not using. The cached processes are here to be opened faster when you actually want them. So even your banking application can have critical info leaked.
Now, what is actually leaked depends on what your RAM contains, and whether or not it is encrypted. The flaw only affects devices with the following:
Intel CPUs (excluding pre-2013 Atom) ARM Cortex A75.
Which of your devices are affected?
Your computer for sure, unless you have an AMD. If you have a Tab 3 10.1, it is affected. The upcoming A8 2018 is affected (Only A75 and A55 support DynamIQ, and 2/6 is a DynamIQ set-up).
That's it? No. For those of you that do not happen to own an Intel CPU, an old Tab 3 or that did not receive an A8 for review, we have some nasty things for you too. Actually, this one is for everyone, or so:
Spectre-
This is Meltdown but worse. While the former affected *only* Intel CPUs and requires a local program to perform it's nasty stuff, Spectre has a much broader range, and can be exploited by the Internet. The Internet variant can allow a webpage to read other opened webpages memory. Yet again, this includes personnal info. The local variant can do like Meltdown and read other program's memory. It does so by abusing Speculative Execution features in modern CPUs. It affects every processor with Out-of-order execution. This includes the following processors:
Intel CPU (Atom pre-2013 excluded) AMD (including Ryzen) ARM Cortex-A8, A9, A15, A17, A57, A72, A73, A75.
Which of your devices are affected?
Oh geez, the list is long. Your computer is affected for sure. Mobile phones and tablets are mixed. Any midrange/low-end should be fine, as they use A53/A7 that are unaffected. OoOE is a very useful feature for performance. Your car might be affected, but there is very few useful info that can be taken from it. So the following SoCs are affected:
Apple-
All the way down to the A4 and the 3GS CPU.
Qualcomm-
Scorpion processors (2008) Krait processors (2012, Snapdragon S4...) Some Snapdragon 400 models Snapdragon 600, 602A (For automotive entertainment systems) Snapdragon 65x, 660, 670 All 8xx processors.
Samsung- Hummingbird processor Exynos 4 series. Exynos 5 series. Exynos 7 Octa 5433 Exynos 7 Octa 7420 Exynos 7 Octa 7885 Exynos 8 series (there is only the 8890) Exynos 9 series
Is it anyone's fault? Meltdown is Intel's fault. They are guilty. 100%. Please sue them. Thank you. Spectre is not really someone's fault. It is the result of abusing a legitimate functionality.
To protect yourself- Okay, you read a whole wall of text. Now you are scared to do anything personnal on your device. Don't be! Follow the tips in the comments!
The Meltdown and Spectre patch is included in the "MS" release of Samsung's security patches, as well as the revised Google January Patch. As far as I know, no device received it yet. The first January Patch was only made available for the Tab A 7.0 2016. TBC...
Reserved 1- List of affected devices (Samsung Android)
A date will be written besides the device that got patched when the patch is issued in Canada.
■ Galaxy S8, S8+ [25/01] ■ Galaxy Note 8 [01/02] ○ Galaxy A8 2018 (probably will be patched by an updated factory firmware) ■ Galaxy Tab S3 [04/02] ■ Galaxy S7, S7 Edge [31/01] ■ Galaxy Tab S2 Refresh (SD652) [14/02] ■ Galaxy S6, S6 Edge [05/02] ■ Galaxy Note5, S6 Edge+ [01/02]. Galaxy Tab S2 (E5433) Galaxy Tab Pro (all models) Galaxy Note 4 Galaxy Alpha Galaxy S5, S5 Active (not Neo, unaffected) Galaxy Note 10.1 2014 Galaxy Tab S Galaxy Tab 3 10.1 Galaxy Note 3, 3 Neo Galaxy S4 Galaxy Note 8.0 (the tablet, not the phone!) Galaxy Note 2 Galaxy SIII (still popular in some countries, so maybe the patch isn't that unrealistic)
If devices are missing, or if there are errors in the list, please let me know so I can make the appropriate changes
If your device is listed, please let me know if you got the January or later patch. Thanks!
It is important to note that no attack involving the flaws aforementioned have been reported yet. So do not worry and install all your software updates as soon as you get it!
Embedded devices, like IoT, may be affected but they do not contain anything personnal in their RAM, so they do not require patches.
First up: Keep all your software up to date at all times. Chrome 64 includes Internet Spectre mitigation.
2nd- Do not go on shady sites.
3- Do not download malware and APKs from weird/crack sites. Check Sammobile.com/apk or apkmirror.com for legal, virus free APKs.
4- Do not install "Cleaners" or "Boosters", or Apps and Games from unknown developers on any App Store. These apps are often bundled with malware (Cleaners and Boosters and malware to begin with)
Thank you Nick! I just love writing about technology (when I have the time!)
@A1 The revised January Patch includes the vulnerability fix. And it is quite unlikely that the original patch rollout will continue. So if you have a vulnerable device that gets the January patch, 99% chances you get the Spectre patch.
It is worth mentioning that the August patch last year was released in two levels, without any visible difference. My Tab A 8.0 got the CQJ5 patch, which includes Blueborne and other August fixes (and Nougat at the same occasion). My friend's J3 2016 got the August patch in early August, but did not include Blueborne fix. I do not recall any other device that got the August patch without Blueborne fixes.
And I do not think we ever had a Level 5 patch on Samsung (except the S8 Beta). Level 5 is an extension to the regular patch, but often contains very specific patches (sometimes hardware components like NVIDIA or MediaTek SoC)
