The developer of the Ubuntu-based Linux Lite distribution has created a script that makes it easier for Linux users to check if their systems are vulnerable to the Meltdown and Spectre security flaws. http://news.softpedia.com/news/linu...-meltdown-checker-for-linux-oses-519431.shtml
Thanks I downloaded this from github and I am running tests with it. As expected Meltdown has been fixed in my Linux but Spectre not so much. I have also heard that my laptop has a new bios to fix it. Going to go on the hunt for that later too.
Actually, newer kernel versions should be able to report the state of the patches against Meltdown and Spectre themselves. Note, though, that this only works for x86-64 based kernels. This is what Fedora kernel 4.14.13 reports: Code: grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline GKH says: Kernel 4.14.14 (which is in the Fedora testing repo) "includes some PPC mitigations, and has been built with a retpoline capable compiler for improved Spectre mitigation on x86_64." Kernel 4.15 will contain further mitigations. EDIT: I just installed 4.14.14 and got: Code: grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
Unfortunately it's going to take more than simple, common patching to fix the Spectre vulnerability. Think compiling changes and re-compiling of existing code. Iow, not a walk in the park.
True it may not be as reliable an exploit as Meltdown, but it is (or certainly will be) capable of being used to remotely exploit browsers using malicious javascript embedded in, for example, an advertisement. The concern is that user's login tokens could be stolen from one open tab via another tab opened running malicious javascript. Spectre is also capable of bypassing ALSR, so it could potentially exploit browser vulnerabilities as well. That said, browser vendors will no doubt patch their products to defend against it. Chrome beta already has the site isolation flag which defends against the exploit nearly 100%. Firefox, I believe, has a similar option available. I do agree it's not as bad as the media has made it seem with its sensationalizing of the exploit. Still, it's out there and the tech security industry believes there will more exploits against hardware, at least the cpu, in coming years. Sandboxie uses the motto: "Trust no program". Maybe end users should adopt: "Trust no hardware"