What are Meltdown and Spectre? Are you affected? Is it safe to install updates for the flaws? We answer your questions.
Every year of the last decade or so has provided us with a big new security threat to worry about. Already 2018 has proved to be no exception, and within just a week of the New Year, we learned of a serious design flaw present in most processor chips made in the last 20 years.
Worse still, it was reported by security experts that this could be exploited using techniques known as Spectre and Meltdown, leaving devices vulnerable to hackers, and requiring an operating system update in order to fix it.
A lot has happened since then, so for anyone needing to catch up, here’s a complete guide to the whole debacle.
The design flaw
The security vulnerability is a result of a design flaw that was originally found to be present in all Intel chips made in the last 20 years (effectively every processor since 1995 except Intel Itanium and Intel Atom before 2013).
What exactly are Meltdown and Spectre?
Spectre and Meltdown are simply the names given to different variants of this same vulnerability, which involves a malicious program gaining access to data that is normally protected by the kernel.
Meltdown is so-called because it figuratively 'melts' the security boundaries normally enforced by chip hardware that protect sections of the memory. Essentially it's able to spy on data it shouldn't have access to.
Spectre, on the other hand, derives its name from speculative execution, which involves a chip attempting to get a headstart on what a user might want from it. For instance, if the program a user is running follows an 'if X, then Y' rule, then if a user chooses to perform X, the chip must then work on carrying out Y. A chip performing speculative execution would start carrying out Y before the user chooses to perform X, to get a headstart on computation. Doing so leaks data that should stay confidential.
A Spectre attack requires more intimate knowledge of the victim program's inner workings, and doesn't allow access to other programs' data, but will also work on just about any computer chip out there.
Spectre's name also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That's the other reason for the name: Spectre will be haunting us for some time.
The official Spectre website (yes, there is one) states that while Spectre is harder to exploit than Meltdown, it is also harder to mitigate. It breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Which systems are affected?
Meltdown mostly affects Intel processors and at the moment, it is unclear whether AMD processors are also affected. ARM says some of its processors are also affected.
Spectre is much more widespread, however. Almost every system is affected by Spectre, including desktops, laptops, cloud servers and even smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable, that means all popular operating systems, including Windows, Linux and macOS are affected.
Am I affected?
It’s safe to say that if you own a computer of some sort, you are almost certainly affected by the vulnerability. And to add insult to injury, you can’t really detect if someone has exploited Meltdown or Spectre against your device, as the exploitation does not leave any traces in traditional log files.
While it’s theoretically possible that your antivirus can detect or block the attack, it’s unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware that uses the attacks by comparing binaries after they become known.
If your system is affected, the exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system. To protect yourself, the best way is to keep up to date with the patches that chip and software manufacturers are releasing. However, that could prove somewhat confusing…
In the rush to release patches for the vulnerabilities when they became known at the start of 2018, vendors issued updates that caused many issues for users.
Shortly after issuing a fix in January, Microsoft withdrew the update after a number of AMD-powered PCs failed to boot following the installation of the security patch.
The issue was brought to Microsoft's attention on its customer support blog, with users saying their devices stopped loading the Start menu or taskbar after installing updates pushed to their devices on the 3 and 9 January. It seems computers running Windows 10, Windows 8.1 and Windows 7 were all affected, with some of the machines dating back 10 years.
Intel had a much bigger issue after releasing its CPU bug fixes, however.
After discovering that the Spectre patches impact performance by up to 25% on data centre chips, and 3% to 4% on other systems, the chip giant backtracked and decided to advise customers not to download the patches, due to the reboots and performance hits they were causing.
The firm’s executive vice president, Navin Shenoy, recommended that OEMs, cloud service providers, system manufacturers, software vendors and end users “stop deployment of current versions on specific platform as they may introduce higher than expected reboots and other unpredictable system behaviour”.
This applied to systems powered by Intel’s previous generations of chips, including Broadwell, Haswell, Coffee Lake, Kaby Lake, Skylake and Ivy Bridge families.
In a post on the Linux kernel mailing list, Linux creator Linus Torvalds lambasted Intel for the fiasco, saying the patches “do literally insane things” to the performance of the systems they are installed on.
“They do things that do not make sense,” Torvalds declared. “That makes all your arguments questionable and suspicious. The patches do things that are not sane."
He ranted that the patches are “ignoring the much worse issue, namely that the whole hardware interface is literally mis-designed by morons”.
Next: new patches and final advice: should you patch?
Earlier in February, however, Intel issued a fresh patch for devices running its Skylake Core or Core M processors that it claims won’t introduce bad side-effects. The company has since rolled out patches for its Kaby Lake and Coffee Lake families, so now systems with sixth, seventh and eighth generation Intel Core and Core X series processors can now be patched.
The recently announced Intel Xeon Scalable and Intel Xeon D processors for data centre systems are also covered by the patches.
The updates might have arrived a few weeks after the original buggy patch release, but the company said it had successfully developed a number of microcode solutions to protect its customers against the Meltdown and Spectre exploits.
“This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production,” Shenoy said in a blog post. “On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process.”
It's still not clear if Intel has successfully patched its fourth and fifth generation Haswell and Broadwell CPUs yet, however.
Should I patch?
That’s the big question. If you’re not willing to take the risk, and particularly if your business could prove a lucrative target for hackers, not patching these vulnerabilities is probably not an option for you. And generally, it’s still good practice to keep up-to-date with the patch releases from the makers of your devices and operating systems.
However, as the problems with the original Intel and Microsoft patches illustrate, you should update with care. If your business has a number of systems, patch testing should be an important part of your update deployment process.
Finally, it appears that Intel’s latest patches for its more recent CPU families will fix the Meltdown and Spectre vulnerabilities without the side-effects of the original updates. But the situation is still fluid, so you should keep up-to-date witih the latest security news so you can make informed decisions. And those with older systems not yet covered by the latest patches should be extra vigilant about their security measures.