Are Spectre and Meltdown Still a Threat? The Patches You Need
The Spectre and Meltdown processor vulnerability revelations were a shocking start to 2018. The vulnerabilities affect almost every processor, across virtually every operating system and architecture. Processor manufacturers and operating system developers swiftly issued patches to protect against the vulnerabilities.
But there were some serious teething issues, too.
Now, over a year on from the initial reports, are we any closer to genuinely fixing the Meltdown and Spectre vulnerabilities?
Spectre and Meltdown Vulnerabilities Latest
The Spectre and Meltdown vulnerabilities discovered in early 2018 continue to impact computing. Meltdown specifically affects Intel microprocessors stretching back to 1995. The longevity of this issue means most of the world’s Intel processors are at risk and even services like Microsoft Azure and Amazon Web Services.
Spectre has a similar global effect. The Spectre vulnerability affects microprocessors from Intel, as well as other major designers including AMD and ARM. Thus, Spectre and Meltdown render most of the world’s computing vulnerable, a situation that dates back over 20 years.
— Shira Rubinoff (@Shirastweet) January 10, 2018
Understandably, the revelations continue to cause consternation for consumers and businesses alike. The worry is multifaceted. Intel, AMD, and ARM all released patches for the vulnerabilities; will those patches work? Is it simpler to replace entire stocks of microprocessors? When will a fully secure processor come to market? And what about the cost?
“We’ve never seen such an expansive bug like this that impacts literally every major processor,” says David Kennedy, the CEO of TrustedSec, which does penetration testing and security consulting for corporations.
“I was on at least ten calls last week with big companies and two yesterday explaining what’s happening. They have no idea what to do when it comes to patching. It’s really causing a mess.”
Spectre Next Generation
No, it isn’t the James Bond-Star Trek crossover you’ve been dreaming about. Spectre Next Generation is the second generation of Spectre vulnerabilities. The second generation was uncovered by Google’s Project Zero (who also revealed the first generation).
Project Zero is Google’s taskforce for finding and responsibly disclosing zero-day vulnerabilities before nefarious individuals discover them.
I’m not going to dip into all of the details here, but here’s an article explaining the implications of Spectre Next Generation .
Are There Spectre and Meltdown Patches?
The sheer range of vulnerable devices offers another problem. Each type of hardware needs a slightly different individually crafted solution. The patch process since January 2018 has been nothing short of boggling.
Intel rushed to develop and release a security patch. The downside was serious performance issues. Intel infamously said, “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.” The statement was untrue then and remains so at the time of writing.
Even newer processors only just coming to market still feel the effects.
In fact, on 22 January 2018, Intel retracted one of its Spectre patches because it was causing a random reboot issue. Intel suggested that network administrators should simply roll-back any updates already installed, with Intel executive vice president Neil Shenoy saying “I apologize for any disruption this change in guidance may cause.” VMware, Lenovo, and Dell all made similar announcements at the same time.
Then at the end of January, Microsoft also announced that the Spectre and Meltdown patches for Windows 10 were compromising performance and causing random fatal errors, confirming that their security fixes were buggy.
Oh, and Apple similarly retracted claims regarding protections for older machines, releasing a plethora of patches for High Sierra, Sierra, and El Capitan.
Linus and Linux
Linus Torvalds, the creator and principal developer of the Linux kernel, remains highly critical of the entire Spectre/Meltdown patch process. (What is a kernel, anyway? ). In fact, Torvalds went as far as to declare the Intel patches as “COMPLETE AND UTTER GARBAGE.”
You can read the rest of his tirade here. It is well worth the read.
Linus analyzed the patches. He found Intel attempting to make the security patches optional, as well as OS-based so that they don’t have to completely overhaul their CPU design (which is the only option for real security—I’ll explain why in a moment).
An alternative would be issuing two patches where one enables the security patches and a second one that implements the fixes to the kernel.
Instead, Torvalds contends Intel is forcing the two together to gloss over the performance hits by allowing an “Optional Secure Mode,” whereby the user must opt their CPU into the fix and making the performance hit the customers decision, rather than Intel taking the flak. Furthermore, if and when users boot an older operating system that hasn’t ever known the patch, they’ll be instantly vulnerable.
On January 29, the Linux 4.15 kernel was made available, featuring newly expanded security capabilities in Intel and AMD CPUs on Linux devices. And while Linus Torvalds rant was Linux focused, it is clear that the Intel patches weren’t up to scratch for any operating system.
Did China Know About Spectre and Meltdown?
Despite Intel dodging one bullet regarding its earnings reports (despite the critical vulnerability found in most of the world’s computers, Intel profits chug along quite nicely), Intel took heaps of criticism for reportedly disclosing both Meltdown and Spectre to its massive Chinese customers, like Alibaba and Lenovo, before it told the US government.
Several major US agencies were only made aware of Spectre and Meltdown when reports went public, rather than any pre-disclosure notification process. And while there is no indication that the information was improperly used (e.g., passed onto and used by the Chinese government), it raises significant concerns about Intel’s choice of who to inform.
Given the depth and scale of Chinese internet surveillance, it seems entirely unlikely the Chinese government was not aware of the vulnerabilities before the US government.
Windows 10 Retpoline Spectre Fix
Retpoline is a “software construct for preventing branch-target-injection.” In other words, it is a patch that protects against Spectre by introducing an alternative prediction branch, keeping the system safe from Spectre-style speculation attacks.
In December 2018, Microsoft made the retpoline fix available for its Insider program. The Insider program and the Insider Previews are where Microsoft tests the upcoming version of Windows 10 before it hits mainstream release. The latest update, 19H1, contains the retpoline update.
However, in March 2019, Microsoft announced that the retpoline fix is available for anyone that wants to download it. There are a couple of stipulations:
- The system must be running Windows 10 October 2018 update.
- The fix only works for pre-Intel Skylake processors and older (the fix also works for AMD machines, AMD readers).
Unsure which Windows 10 version you are currently using? Press Windows Key + I, then System > About. You can see your current Windows version under Windows specification. If it says 1809, you can install the update. If not, you will have to wait until your Windows version catches up.
The retpoline update, KB4470788, will arrive on your system via the regular Windows Update process. However, you can download the KB4470788 update via the Microsoft Update Catalog. Download the correct version for your operating system architecture (e.g., x64 for 64-bit, x86 for 32-bit), then install.
Will Spectre and Meltdown Ever Be Fixed for Good?
The first generation of Spectre and Meltdown patches were temporary solutions. The onus should not fall on consumers to enable the vulnerability blocking patches, let alone have to decide on the trade-off between kernel-level security issues and CPU performance hits. It is simply unfair, let alone wholly unethical.
The slow rollout of retpoline fixes is better for consumers, patching the system vulnerabilities and returning system speed back to previous levels. Still, some users don’t have the benefit of a retpoline fix, so it isn’t a magic band-aid.
Back in early 2018, the Intel financial report featured information from CEO Brian Krzanich who promised that chips with true hardware fixes would begin shipping this year. Unfortunately, Krzanich didn’t elaborate on what that bold statement meant.
However, because Krzanich did confirm Intel plans to continue developing its 14nm products (Intel CPUs from 2014 onwards—Kaby Lake, Coffee Lake, Skylake, etc.) throughout 2018. This creates possibilities: “in-silicon” fixes for the current generation of CPUs and fixes for the upcoming Cannon Lake processors, or one or the other.
Later in 2018, Intel announced that hardware fixes—that’s an in silicon, processor-based fix—will arrive with the upcoming Intel CPU generation. Some fixes will rollout with the low-power processor series, Whiskey Lake, while more are set to arrive with the de facto 10th generation processors, Ice Lake. The new generation of Intel CPUs should also protect against the Foreshadow vulnerability, too.
Think you’re unaffected by Spectre and Meltdown? Check out the list of computer hardware unaffected by the vulnerabilities , and think again.