On Wednesday, January 3rd, two security bugs were observed by the security community. Now known as “Meltdown” and “Spectre,” these bugs affect most central processing units (CPUs), and therefore, many computer users.
In summary, we are updating LastPass systems with the latest applicable and available patches and advise our customers to do the same while continuing to practice smart cyber hygiene.
What are the Meltdown and Spectre bugs?
The Meltdown bug may allow programs to access computer memory that they would normally not be allowed to access. Anyone running an unpatched operating system may be at risk. For an attacker to even be able take advantage of this vulnerability, he/she must first find an opportunity to run malicious code on the targeted system. As of now, this is known to affect Intel processors.
The Spectre bug breaks the isolation between different applications, which may potentially allow an attacker, under a limited set of circumstances, to access unauthorized data. Spectre impacts a larger number of systems and is harder to mitigate, but is also harder to exploit. As of now, this is known to affect Intel, AMD and ARM processors.
We are actively monitoring for updates by chip makers and operating system providers and applying applicable patches to our own machines as they become available, and recommend users do the same.
How is LastPass affected?
For either vulnerability, malicious intent would need to occur for them to be exploited. When it comes to Meltdown, LastPass infrastructure is heavily fortified, protected by many layers as detailed in our technical whitepaper. Due to our zero-knowledge security model, in which LastPass does not receive the master password, passwords and other sensitive data stored in the encrypted vault should remain safe.
What you can do
We are actively tracking this issue and are patching systems as applicable updates become available. We’ll continue to provide updates to our users as warranted.
At minimum, immediately apply updates when they become available. As a best practice, after applying the updates, we recommend that you update your LastPass master password and your most important passwords (email, financial, social media, and medical) to mitigate the risk of these vulnerabilities.
As always, we encourage users to follow general best practices for online security such as:
- Monitor responses from processor and technology providers. Google’s response is among those we recommend LastPass users review for action on any of their services you might be using, such as Chrome and/or Android.
- Patch, patch, patch. It is critical to update your apps, browsers, operating systems, and even your device itself when it can no longer automatically receive security updates.
- Keep a clean machine by running antivirus. At this time, we believe Meltdown and Spectre likely won’t be picked up by antivirus, but are still critical for detecting and removing harmful malware and adware.
- Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
- Two-factor authentication remains one of the most effective ways to protect your account from targeted attacks. Always enable 2FA for LastPass and other services like your bank, email, Twitter, Facebook, etc.
- Use strong, unique passwords for every online account.