Spectre and Meltdown — phones, tablets, and computers, oh my!

Much in the media this week about an industry-wide problem with all devices using Intel processors — CPU chips, and perhaps those from other manufacturers as well. A security vulnerability: Meltdown and Spectre. It’s like Dorothy, the Tin Man and the Scarecrow walking through the dark forest in the 1939 classic The Wizard of OZ and chanting “Lions and tigers and bears, oh my!”

PC World’s been covering this situation with a bunch of articles. Here’re a few links:

Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, macOS, iOS, Chromebooks, and other operating systems all need to protect against it. And worse, plugging the hole can negatively affect your PC’s performance.

Everyday home users shouldn’t panic too much though. Just apply all available updates and keep your antivirus software vigilant, as ever. If you want to dive right into the action without all the background information, we’ve also created a focused guide on how to protect your PC against Meltdown and Spectre.1

Intel said the patches for the CPU vulnerability, due next week, would bring a negligible performance hit to the average user. Claiming that the patches can make PCs “immune” from the vulnerabilities is a first, though.

Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.

We’ve been waiting to hear from Apple ever since we first heard about the far-reaching Meltdown and Spectre CPU flaws earlier this week, and the company has finally responded with some not-so-good news: All Mac and iOS devices are affected. That’s right, all of them. However, Apple ensures us there’s no reason to panic.

So, the bottom line is that this vulnerability is serious. Lots of manufacturers of the hardware and software that make your devices run are working on the fixes. Some patches already have been released. So, just be ready for the updates. It’ll take time for everything to settle down. The major concern is impact on performance. Ironically, the vulnerabilities were a result of long-standing techniques to improve performance. As PC World stated:

“We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.”

In summary:

  • Update your operating system
  • Check for firmware updates
  • Update your browser
  • Keep your antivirus active

 

[1] That PC World article notes that:

  • Microsoft pushed out an emergency Windows patch [Windows 10 ‘1709’ edition KB4056892 patch] late in the day on January 3.
  • Apple quietly worked Meltdown protections into macOS High Sierra 10.13.2, which released in December. [Also iOS 11.2.]
  • Intel also released a detection tool that can help you determine whether you need a firmware update.
  • The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript.
  • The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer.

UPDATE: I haven’t tried Intel’s detection tool, but today (January 17, 2018) Senior Editor Brad Chacos at PC World published an article about a 3rd-party tool which checks whether your system has been patched to protect against the flaws: “Is your PC vulnerable to Meltdown and Spectre CPU exploits? InSpectre tells you.”

Gibson Research recently released InSpectre, a wonderfully named, dead simple tool that detects if your PC is vulnerable to Meltdown and Spectre.

InSpectre is a small 122 KB program that doesn’t need a formal install and scans your computer for Meltdown and Spectre susceptibility in mere milliseconds. When it’s done, the program pops up with clear, easy-to-read information about the security status of your system.

This is the sort of software Microsoft or Intel should have released to help clarify the murky, convoluted patching situation around this devastating duo of CPU exploits.

Personally, I’ll wait for these tools to evolve further.

6 comments

  1. On January 6, I received an email message (blast) from Norton.com.

    What you need to know about staying protected against the Meltdown and Spectre vulnerabilities

    As a Norton subscriber, Norton helps protect you.

    Norton can help users protect against some instances of this threat. If you run into any issues installing patches, you should make sure your Norton product definitions are up to date first, then apply operating system patches immediately afterwards. Patches have already been released for Microsoft Windows, Apple macOS, and Linux to patch Meltdown.

    Their message also included this link to a blog post:

    https://www.symantec.com/blogs/threat-intelligence/meltdown-spectre-cpu-bugs

  3. PC World continues to cover this subject.

    Microsoft tests show Spectre patches drag down performance on older PCs

    Unfortunately, older PCs look like they’re going to be hit the hardest, based on the way Windows was coded at the time. But even if you’re tempted not to patch, please do! Your data needs to be protected.

    In a blog post, Microsoft’s OS chief, Terry Myerson, explained that patches for 41 of the 45 editions of Windows that Microsoft distributes now have patches available. Microsoft and other vendors recommend that those patches be swiftly applied; Windows Update’s January rollup patch applies those patches to Windows systems. Users also need to ensure that their antivirus software is up to date.

  4. Here’s today’s blog post by Microsoft on performance impact of the patches for Meltdown and Spectre:

    Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

    Here is the summary of what we have found so far:

    With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.

    With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.

    With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.

    Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.

  5. January 28, 2018, the saga continues: “Microsoft issues emergency Windows patch to disable Intel’s buggy Spectre fix.”

    If you’ve noticed any unexpected reboots or PC instability as a result of the recent Spectre patches, there’s a solution: Microsoft has issued an emergency Windows patch that rolls back the recent Spectre mitigations.

    Confused? It’s a bit complicated. After the intial Spectre and Meltdown vulnerabilites were disclosed, both Intel and Microsoft hustled out patches to mitigate the problem. Unfortunately, Intel’s latest microcode updates—and the BIOS updates from PC makers based upon them—were themselves buggy, causing instability, reboots, and data loss in some PCs.

    Microsoft’s latest patch (KB4078130) allows people with affected systems to download the patch via the Microsoft Update Catalog, which disables the mitigations for the “Spectre variant 2.”

    There are caveats. Read the full article for more information.

  6. Regarding patches for the Meltdown abd Spectre vulnerabilities, the discussion among experts in the field is intense. For example, a seminal figure in the develoment of the Linux operating systems considers Intel’s fix misguided. Here’s one article on that topic: Tech Crunch, January 22, 2018, Linus Torvalds declares Intel fix for Meltdown/Spectre ‘COMPLETE AND UTTER GARBAGE’

    These and other kind epithets are awarded by Torvalds in a public email chain between him and David Woodhouse, an engineer at Amazon in the U.K., regarding Intel’s solution as relating to the Linux kernel. The issue is (as far as I can tell as someone far out of their depth) a clumsy and, Torvalds argues, “insane” implementation of a fix that essentially does nothing while also doing a bunch of unnecessary things.

    At any rate, this is all very deep discussion and really only a small slice of it. I’m not highlighting this because I think it’s technically interesting (I’m not really qualified to say so) or consequential in terms of what users will see (it’s hard to say at this point) but rather to simply point out that the Meltdown/Spectre debacle is far from over — in fact, it’s barely begun.

Leave a comment