The Spectre and Meltdown processor vulnerability revelations were a shocking start to the new year in cybersecurity. The vulnerabilities affect almost every processor, across almost every operating system and architecture. Processor manufacturers and operating system developers swiftly issued patches to protect against the vulnerabilities — but there were some serious teething issues, too.
Now, over a month on from the initial reports, are we any closer to truly fixing the Meltdown and Spectre vulnerabilities?
Spectre and Meltdown Vulnerabilities Everywhere
The recently discovered security problems will impact computing for a long time. Meltdown specifically impacts Intel microprocessors stretching back to 1995. The longevity of this issue means most of the world’s Intel processors are at risk and even services like Microsoft Azure and Amazon Web Services.
Spectre has a similar global effect, affecting microprocessors from the rest of the major designers: AMD and ARM. This means most of the world’s computing systems are vulnerable and have been for over 20 years.
— Shira Rubinoff (@Shirastweet) January 10, 2018
Understandably, this revelation is causing some consternation for consumers and businesses alike. The worry is multifaceted. Will the patches on offer work? Is it simpler to replace entire stocks of microprocessors? When will a fully secure processor come to market? And what about the cost?
“We’ve never seen such an expansive bug like this that impacts literally every major processor,” says David Kennedy, the CEO of TrustedSec, which does penetration testing and security consulting for corporations. “I was on at least ten calls last week with big companies and two yesterday explaining what’s happening. They have no idea what to do when it comes to patching. It’s really causing a mess.”
The sheer range of vulnerable devices offers another problem. Each type of hardware needs a slightly different individually crafted solution. The patch process since early January has been nothing short of boggling.
Intel rushed to develop and release a security patch. The downside was some serious performance issues. Intel infamously said, “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.” This was untrue then and remains so at the time of writing. Even newer processors only just coming to market still feel the effects.
In fact, on Monday, January 22, Intel retracted one of its Spectre patches because it was causing random reboot issues. Intel suggested that network administrators should simply roll-back any updates already installed, with Intel executive vice president Neil Shenoy saying “I apologize for any disruption this change in guidance may cause.” VMware, Lenovo, and Dell all made similar announcements at the same time.
Then at the end of January, Microsoft also announced that the Spectre and Meltdown patches for Windows 10 were compromising performance and causing random fatal errors, confirming that their security fixes were buggy. Oh, and Apple similarly retracted claims regarding protections for older machines, releasing a plethora of patches for High Sierra, Sierra, and El Capitan.
Linus and Linux
Linus Torvalds, the creator and principal developer of the Linux kernel, remains highly critical of the entire Spectre/Meltdown patch process (what is a kernel, anyway?). In fact, Torvalds went as far as to declare the Intel patches as “COMPLETE AND UTTER GARBAGE.” You can read the rest of his tirade here — and it is worth the read.
The text is somewhat jargon-laden, so I’ll do my best to explain it, simply.
Linus analyzed the patches. He found Intel attempting to make the security patches optional, as well as OS-based so that they don’t have to completely overhaul their CPU design (which is the only option for real security — I’ll explain why in a moment). Instead of issuing two patches where one enables the security patches and a second one that implements the fixes to the kernel.
Instead, Torvalds contends Intel is forcing the two together to gloss over the performance hits by allowing an “Optional Secure Mode,” whereby the user must opt their CPU into the fix and making the performance hit the customers decision, rather than Intel taking the flak. Furthermore, if and when users boot an older operating system that hasn’t ever known the patch, they’ll be instantly vulnerable.
On January 29, the Linux 4.15 kernel was made available, featuring newly expanded security capabilities in Intel and AMD CPUs on Linux devices. And while Linus Torvalds rant was Linux focused, it is clear that the Intel patches weren’t up to scratch for any operating system.
Microsoft Out-of-Band Updates
As mentioned above, Microsoft is also unhappy with Intel’s approach to the security patches. So much so that it broke with its traditional Patch Tuesday approach to most security patches, instead issuing a rare out-of-band security update. The Microsoft patch simply disables the Spectre variant 2, in testament to how bad Intel’s patch is.
The new patch is available via the Microsoft Update Catalog.
Alternatively, users wishing to go the down the manual fix route should read the Microsoft Windows Client Guidance document for advice on the somewhat tricky registry changes.
What About China?
Despite Intel dodging one bullet regarding its latest earnings report (despite exposing most of the world’s computers Intel profits are chugging along nicely), Intel took on heaps more criticism for reportedly disclosing both Meltdown and Spectre to massive Chinese customers like Alibaba and Lenovo — before it told the US Government.
In fact, several major US agencies were only made aware of Spectre and Meltdown when reports went public, rather than any pre-disclosure notification process. And while there is no indication that the information was improperly used (e.g. passed onto and used by the Chinese government), it raises significant concerns about Intel’s choices of who to inform.
Given the depth and scale of Chinese internet surveillance, it seems entirely unlikely the Chinese government was not aware of the vulnerabilities before the US government.
Are Real Fixes for Spectre and Meltdown Ever Going to Happen?
The security patches are, realistically, a temporary solution. The onus should not fall on consumers to enable the vulnerability blocking patches, let alone have to decide on the trade-off between kernel-level security issues and CPU performance hits. It is simply unfair, let alone completely unethical.
Part of the Intel financials reports featured information from CEO Brian Krzanich who promised that chips with true hardware fixes would begin shipping this year. Unfortunately, Krzanich didn’t elaborate on what that bold statement meant.
However, because Krzanich did confirm Intel plans to continue developing its 14nm products (Intel CPUs from 2014 onwards — Kaby Lake, Coffee Lake, Skylake, etc.) throughout 2018. This creates possibilities: “in-silicon” fixes for the current generation of CPUs and fixes for the upcoming Cannon Lake processors, or one or the other.
Furthermore, no one is clear exactly what the fixes will entail. The current microcode and workaround approach is clearly not working. Given more time for development, would higher-performance, better-coded versions feature? Or will Intel accept that their CPUs require modification at a much deeper level?
One thing is for sure, though. Despite this monumental vulnerability that affects so many devices, Intel sales are likely to increase as large corporations, businesses, and consumers alike jump from affected hardware when the new, presumably secure generation arrives.
What do you think about Spectre and Meltdown? Has it prompted you to consider buying a new PC in 2018? Let us know!