Are We Secure From Spectre and Meltdown Yet?
Whatsapp Pinterest

The Spectre and Meltdown processor vulnerability revelations Meltdown and Spectre Leave Every CPU Vulnerable to Attack Meltdown and Spectre Leave Every CPU Vulnerable to Attack A huge security flaw with Intel CPUs has been uncovered. Meltdown and Spectre are two new vulnerabilities that affect the CPU. You ARE affected. What can you do about it? Read More were a shocking start to the new year in cybersecurity The Major Cybersecurity Events of 2017 and What They Did to You The Major Cybersecurity Events of 2017 and What They Did to You Were you the victim of a hack in 2017? Billions were, in what was clearly the worst year in cybersecurity yet. With so much happening, you may have missed some of the breaches: let's recap. Read More . The vulnerabilities affect almost every processor, across almost every operating system and architecture. Processor manufacturers and operating system developers swiftly issued patches to protect against the vulnerabilities — but there were some serious teething issues, too.

Now, over a month on from the initial reports, are we any closer to truly fixing the Meltdown and Spectre vulnerabilities?

Spectre and Meltdown Vulnerabilities Everywhere

The recently discovered security problems will impact computing Revealed: How Spectre Updates Will Affect Your PC Revealed: How Spectre Updates Will Affect Your PC We assume you're fully aware of Meltdown and Spectre by now. Which means it's time to find out exactly how the Windows updates Microsoft has released will affect your PC... Read More for a long time. Meltdown specifically impacts Intel microprocessors stretching back to 1995. The longevity of this issue means most of the world’s Intel processors are at risk and even services like Microsoft Azure and Amazon Web Services.

Spectre has a similar global effect, affecting microprocessors from the rest of the major designers: AMD and ARM. This means most of the world’s computing systems are vulnerable Are Any Computers Not Affected by the Meltdown and Spectre Bugs? Are Any Computers Not Affected by the Meltdown and Spectre Bugs? The Meltdown and Spectre vulnerabilites have affected hardware around the globe. It seems like everything is insecure. But that isn't the case. Check out this list of secure hardware and our tips for the future. Read More and have been for over 20 years.

Understandably, this revelation is causing some consternation for consumers and businesses alike. The worry is multifaceted. Will the patches on offer work? Is it simpler to replace entire stocks of microprocessors? When will a fully secure processor come to market? And what about the cost?

“We’ve never seen such an expansive bug like this that impacts literally every major processor,” says David Kennedy, the CEO of TrustedSec, which does penetration testing and security consulting for corporations. “I was on at least ten calls last week with big companies and two yesterday explaining what’s happening. They have no idea what to do when it comes to patching. It’s really causing a mess.”

Patches Galore

The sheer range of vulnerable devices offers another problem Is Your Chromebook Protected Against Meltdown? Is Your Chromebook Protected Against Meltdown? Google has published a list of all known Chrome OS devices, detailing which are currently vulnerable to Meltdown, and which require patching. Read More . Each type of hardware needs a slightly different individually crafted solution. The patch process since early January has been nothing short of boggling.

spectre and meltdown secure yet

Intel rushed to develop and release a security patch. The downside was some serious performance issues. Intel infamously said, “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.” This was untrue then and remains so at the time of writing. Even newer processors only just coming to market still feel the effects.

In fact, on Monday, January 22, Intel retracted one of its Spectre patches because it was causing random reboot issues. Intel suggested that network administrators should simply roll-back any updates already installed, with Intel executive vice president Neil Shenoy saying “I apologize for any disruption this change in guidance may cause.” VMware, Lenovo, and Dell all made similar announcements at the same time.

Then at the end of January, Microsoft also announced that the Spectre and Meltdown patches for Windows 10 were compromising performance and causing random fatal errors, confirming that their security fixes were buggy. Oh, and Apple similarly retracted claims regarding protections for older machines, releasing a plethora of patches for High Sierra, Sierra, and El Capitan.

Linus and Linux

Linus Torvalds, the creator and principal developer of the Linux kernel, remains highly critical of the entire Spectre/Meltdown patch process (what is a kernel, anyway? The Linux Kernel: An Explanation In Layman's Terms The Linux Kernel: An Explanation In Layman's Terms There is only one de facto thing that Linux distributions have in common: the Linux kernel. But while it's often talked about, a lot of people don't really know exactly what it does. Read More ). In fact, Torvalds went as far as to declare the Intel patches as “COMPLETE AND UTTER GARBAGE.” You can read the rest of his tirade here — and it is worth the read.

The text is somewhat jargon-laden, so I’ll do my best to explain it, simply.

Linus analyzed the patches. He found Intel attempting to make the security patches optional, as well as OS-based so that they don’t have to completely overhaul their CPU design (which is the only option for real security — I’ll explain why in a moment). Instead of issuing two patches where one enables the security patches and a second one that implements the fixes to the kernel.

Instead, Torvalds contends Intel is forcing the two together to gloss over the performance hits by allowing an “Optional Secure Mode,” whereby the user must opt their CPU into the fix and making the performance hit the customers decision, rather than Intel taking the flak. Furthermore, if and when users boot an older operating system that hasn’t ever known the patch, they’ll be instantly vulnerable.

On January 29, the Linux 4.15 kernel was made available, featuring newly expanded security capabilities in Intel and AMD CPUs on Linux devices. And while Linus Torvalds rant was Linux focused, it is clear that the Intel patches weren’t up to scratch for any operating system.

Microsoft Out-of-Band Updates

As mentioned above, Microsoft is also unhappy with Intel’s approach How to Protect Windows From Meltdown and Spectre Security Threats How to Protect Windows From Meltdown and Spectre Security Threats Meltdown and Spectre are major security threats that affect billions of devices. Find out whether your Windows computer is affected and what you can do. Read More to the security patches. So much so that it broke with its traditional Patch Tuesday approach to most security patches, instead issuing a rare out-of-band security update. The Microsoft patch simply disables the Spectre variant 2, in testament to how bad Intel’s patch is.

The new patch is available via the Microsoft Update Catalog.

Alternatively, users wishing to go the down the manual fix route should read the Microsoft Windows Client Guidance document for advice on the somewhat tricky registry changes.

What About China?

Despite Intel dodging one bullet regarding its latest earnings report (despite exposing most of the world’s computers Intel profits are chugging along nicely), Intel took on heaps more criticism for reportedly disclosing both Meltdown and Spectre to massive Chinese customers like Alibaba and Lenovo — before it told the US Government.

In fact, several major US agencies were only made aware of Spectre and Meltdown when reports went public, rather than any pre-disclosure notification process. And while there is no indication that the information was improperly used (e.g. passed onto and used by the Chinese government), it raises significant concerns about Intel’s choices of who to inform.

Given the depth and scale of Chinese internet surveillance, it seems entirely unlikely the Chinese government was not aware of the vulnerabilities before the US government.

Are Real Fixes for Spectre and Meltdown Ever Going to Happen?

The security patches are, realistically, a temporary solution. The onus should not fall on consumers to enable the vulnerability blocking patches, let alone have to decide on the trade-off between kernel-level security issues and CPU performance hits. It is simply unfair, let alone completely unethical.

Part of the Intel financials reports featured information from CEO Brian Krzanich who promised that chips with true hardware fixes would begin shipping this year. Unfortunately, Krzanich didn’t elaborate on what that bold statement meant.

However, because Krzanich did confirm Intel plans to continue developing its 14nm products (Intel CPUs from 2014 onwards — Kaby Lake, Coffee Lake, Skylake, etc.) throughout 2018. This creates possibilities: “in-silicon” fixes for the current generation of CPUs and fixes for the upcoming Cannon Lake processors, or one or the other.

Furthermore, no one is clear exactly what the fixes will entail. The current microcode and workaround approach is clearly not working. Given more time for development, would higher-performance, better-coded versions feature? Or will Intel accept that their CPUs require modification at a much deeper level?

One thing is for sure, though. Despite this monumental vulnerability that affects so many devices, Intel sales are likely to increase as large corporations, businesses, and consumers alike jump from affected hardware when the new, presumably secure generation arrives.

What do you think about Spectre and Meltdown? Has it prompted you to consider buying a new PC in 2018? Let us know!

Explore more about: Computer Security.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *