Key vendors have responded quickly to the processor flaws, but be careful – one patch from Microsoft reportedly ‘bricks’ some machines.
UPDATED: In the latest news on the Meltdown and Spectre vulnerabilities that affect Intel and other processors, Nvidia has rolled out a patch for its GPUs, Microsoft has issued and then withdrawn a patch after it was found to ‘brick’ some machines, and Intel is reportedly creating a security research team. Read on for the full story...
Every year, the IT and security industries spew out a new vulnerabilities for businesses to worry about. Well, 2018 came out of the starting blocks particularly early – and this time, it’s a big one.
As we learned on 4 January, a serious design flaw reportedly present in all Intel processors made in the past ten years could leave devices vulnerable to hackers.
Reported by The Register, the first so-called Meltdown flaw allegedly affects all systems running Intel x86 chips and is present across all popular operating systems, including Windows, Linux and macOS. A second flaw, dubbed Spectre, affects Intel, AMD and ARM chips.
This means that just about all modern PCs, laptops, servers and many other devices are potentially affected, although we should stress that these are vulnerabilities only, and there have been no reports yet of malware or attacks that have exploited the vulnerabilities.
The technology industry in general has been quick to respond, with key players from different sectors, such as cloud providers and device manufacturers, reporting whether they already knew about the flaw, if they’ve already patched it or what it could mean if it isn’t fixed.
Microsoft was one of the vendors to issue patches – see the responses from others below – but based on some reports, that patch has resulted in some significant issues.
Microsoft's patch 'bricks' older AMD machines
Microsoft's patch to address the Meltdown and Spectre bugs has reportedly bricked a number of machines running older AMD processors, with users complaining of boot errors, crashes and being unable to bypass the Windows logo on the splash screen.
In response, Microsoft is pausing the rolling out the update until it can solve the problem. In a statement, the company said: “Microsoft has had reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates. To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause sending the following Windows operating system updates to devices with impacted AMD processors at this time.”
One user's lengthy post on Microsoft's community forum claimed that Windows patch KB4056892, which was rolled out to fix the recently discovered critical processor bug Spectre, caused their AMD Athlon machine to suddenly stop working and become locked to the Windows boot screen.
“I can try full reinstall, but I doubt it will change anything,” said Windows user Jaroslav Škarvada. “It seems like the update is binary incompatible with my old CPU. I understand that making the machine unbootable is the best protection from remote exploitation, but I would rather have the OS working.”
What's more, a rollback reportedly cannot fix the problem, because Windows will automatically download and try to reinstall the patch once the machine returns to the desktop. In some instances, attempts to revert the machine back to previous states result in an impassable 0x800f0845 error, according to the post.
Users have since corroborated the flaw, which seems to affect older AMD processors, including the Athlon and Sempron series, running both 32- and 64-bit versions of Windows 10. It's the Spectre flaw that affects AMD chips (as well as those of ARM), while Meltdown is specific to Intel processors.
“Having the same issue, with a freeze at Windows logo screen and update rollbacks loop after installation of Meltdown/Spectre patch, on Windows 10 x64 Pro Build (1709 16299.125) with an HP Pavilion Entertainment PC DV2-2116WM with AMD Turion 64 X2,” said another user.
Those who have been able to get their machines back to the desktop have even tried to terminate the update process in the task manager in order to avoid the machine connecting to the Microsoft servers, but have had mixed success so far.
“Unfortunately, even though I successfully ‘hid the 2018 Cumulative Update KB4056892’, and it showed up in the hide/show tool as being hidden, Windows Update just charged ahead anyhow and began downloading, got to 100% download, and then began installing this update on my system until I quickly disabled windows update service again,” said another user.
In its response, Microsoft also seemingly passed the buck for the problem back to AMD, claiming that some AMD chipsets do not “conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”
What you need to do about the CPU flaws
Choosing to patch a vulnerability of this kind presents a difficult choice for both individuals and businesses, as there are going to be performance drops in machines once an update is applied. You may find, for example, that software such as their antivirus solutions may not be compatible with patches issued by Microsoft.
Despite the above users' experiences with the Microsoft patch, we still recommend installing security updates from your hardware and operating system providers. However, it would be prudent to search online for known issues related to patches, before installing them, and keeping up-to-date about how the vendors are addressing the CPU flaws.
Here are the responses from some key vendors:
According to the search engine giant, the Google Project Zero security team has already fixed the bug after it discovered the CPU vulnerability last year.
Google’s Cloud VP, Ben Treynor Sloss, said in a statement on Wednesday that since this time, the company's engineering teams have been working to protect customers from the flaw "across the entire suite of Google products", including Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products.
“We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web,” Sloss explained.
“All G Suite applications have already been updated to prevent all known attack vectors. G Suite customers and users do not need to take any action to be protected from the vulnerability.”
Google said this was possible because its Cloud product is architected in a manner that enables the team to update the environment while providing operational continuity for its customers.
“We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts,” Sloss added.
However, the company warned customers who use their own operating systems with GCP services may need to apply additional updates to their images and should refer to the GCP section of the Google Security blog post for additional details.
Since the CPU flaw was reported widely by the tech industry on Wednesday, Amazon Web Services (AWS) released a statement to say it too was made aware of the research around the bug, which it referred to as “side-channel analysis of speculative execution on modern computer processors, CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754”.
AWS even went as far as saying the vulnerability has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices, and “all but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected”.
The cloud giant reassured users that the remaining instances will be completed in the next several hours, with associated instance maintenance notifications.
“While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems,” it warned. “Updates for Amazon Linux have been made available, and instructions for updating existing instances are provided further below along with any other AWS-related guidance relevant to this bulletin.”
AWS added that updated EC2 Windows AMIs will also be provided as Microsoft patches become available.
According to software developer Alex Ionescu, Apple introduced a fix for the CPU flaw in the release of macOS 10.13.2, and there are additional tweaks set to be introduced in macOS 10.13.3, which is currently in beta testing.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63— Alex Ionescu (@aionescu) January 3, 2018
According to AppleInsider, “multiple sources within Apple” have said that updates made in macOS 10.13.2 have mitigated “most” security concerns associated with the CPU vulnerability.
Cisco revealed that it was investigating dozens of routers, switches, and servers to see whether its hardware was affected by the Spectre and Meltdown flaws, although it said that the majority of its products are closed systems and would be unaffected.
Intel to create security research team
For its part, Intel is reportedly due to create an internal cyber security research group following the discovery of critical vulnerabilities affecting every one of its processors from the past 10 years.
CEO Brian Krzanich told employees in an internal memo that the company was placing renewed importance on security, and that the changes would effective immediately, the Oregonian newspaper reported on 9 January.
“It is critical that we continue to work with the industry, to excel at customer satisfaction, to act with uncompromising integrity, and to achieve the highest standards of excellences,” said Krzanich in the memo, sent on Monday ahead of his CES 2018 keynote.
“Simply put, I want to ensure we continue to respond appropriately, diligently, and with a customer-first-attitude.”
Intel's head of human resources, Leslie Culbertson, who has been with the company since 1979, is set to run the new Intel Product Assurance and Security group, according to the memo. Culbertson had previously served as Intel's director of finance and as general manager for systems manufacturing.
The memo also indicated that Josh Walden, who has only just been appointed head of Intel's technology group, and Steve Smith, VP of Intel's data centre engineering group, will also be reassigned to work as part of Culbertson's team.
Intel has been contacted to confirm the memo's content.
The company was clearly caught off-guard by the Meltdown processor flaw, which in theory could have allowed hackers to steal sensitive data, but there have been no reports of the vulnerability being exploited in the wild.
Intel was initially quiet about the flaws and even dismissed initial reports as “inaccurate”, however, the company has acknowledged the issues and released updates for more than 90% of its processors released in the past five years, with more coming in the next few weeks.
“I want to take a moment to thank the industry for addressing the recent security findings,” said Krzanich, during his CES keynote this week. “The collaboration among so many companies to address this industry-wide issue has been truly remarkable.”
Intel previously operated its own security group under Intel Security, created following its acquisition of McAfee in 2011. However, in 2016 Intel sold control of the division off to private equity company TPG, which took a 51% majority stake in the firm, whose name was changed back to McAfee, in a deal thought to have generated $3.1 billion for Intel.
Krzanich reassured investors at the time that security would remain an important part of its chips as the company pushed into new markets.
Security giant McAfee released a statement saying the disclosure of the CPU flaw reveals that the scope of implications extends beyond just PCs to servers, cloud, mobile and IoT platforms, and affects the CPU platform of multiple vendors, not just one as was first thought. Apparently, it can impact both corporate and consumer domains at the same time if left unpatched.
“These methods attack the foundational modern computer building block capability that enforces protection of the OS from applications, and applications from one another,” warned the firm’s CTO Steve Grobman. “Businesses and consumers should update operating systems and apply patches as soon as they become available.”
Nvidia issues patches but says GPUs are ‘immune’ to bugs
On 10 January, Nvidia rolled out a patch for its graphics processing unit in response to security vulnerabilities exposed by the Spectre and Meltdown bugs. However, the company's boss has claimed its hardware did not contain the same flaws as those found in CPUs.
“Our GPUs are immune. They are not affected by these security issues,” said Nvidia CEO Jensen Huang, speaking at CES 2018, as reported by Reuters.
Although the GPUs aren't at risk, the company said it was releasing software patches as a precautionary measure as its hardware directly interacts with processors containing the critical flaw.
It's further evidence that the vulnerabilities identified have had far wider implications for the industry than first thought, as companies that produce hardware that works alongside affected CPUs race to try and plug any potential gaps that could be exploited further down the line.
Nvidia's patches not only apply to its consumer GPUs, which power the largest market share of personal computers, but also to the hardware it supplies to data centres, one of its fastest-growing markets. GPUs affected include its popular GeForce range, Tesla, Grid, NVS, and Quadro.