If you bought a CPU in the last few years, you’re likely affected.
Modern CPUs from Intel, AMD, and ARM have been shown to have massive security vulnerabilities in them. The interim solution takes the form of patches for operating systems including Windows, macOS, Android, iOS, and Linux, but these haven’t been without problems either.
Here’s what you need to know.
What is it?
In a nutshell, the exploit allows a process with normal user privileges unauthorized access to the OS’s kernel, which may contain sensitive material such as passwords or encryption keys.
The flaws have been dubbed Meltdown and Spectre, and the former is technically the more serious one. Both are based on the same principle, using speculative execution to break the “fundamental isolation” between apps and the OS in an attempt to obtain data.
Modern CPUs improve performance by using speculative execution to preemptively execute likely code branches. Sometimes, the processor can get ahead of itself and execute the wrong instructions, so it ends up dumping the data and starting over. The problem is that these exploits take advantage of how the data is dumped, and could enable attackers to read this data if they have the right malware installed on the system.
The difference is that Meltdown allows malware to gain access to the computer’s kernel, while Spectre filches data from the memory of other programs. Spectre essentially tricks applications into speculatively performing operations that would not otherwise occur, and in this way leaks information to an attacker.
Which chips are affected?
If you own a laptop, smartphone, or other computing device you bought in the past decade, you’re out of luck. The implications of this are far-reaching, and even massive cloud computing platforms like Amazon Web Services and Google Cloud are not spared.
Users who rent time from these supercomputing clusters could be especially vulnerable, as those running unpatched and unprotected systems could expose themselves to malicious actors sharing their processors.
The exploits also don’t affect all chips equally. Meltdown primarily affects Intel’s chips (because of how aggressively they employ speculative execution), but Spectre can affect Intel, AMD, and ARM processors as well. In addition, there are actually two variants of Spectre – AMD’s chips reportedly have “near zero” risk to one, but they can be susceptible to the other, dubbed Spectre variant 2.
What’s the fix?
Basically, update all your stuff. The entire computing industry is moving quickly to patch the vulnerabilities, so you should install an update if you see one available on your PC, smartphone or tablet (most of the time anyway). This doesn’t just apply to your OS however, and extends to your system’s firmware, web browser, software and anti-virus as well.
However, there are a few caveats attached. Intel released a firmware update for Spectre variant 2, but the “fix” ended up causing problems like reboots and data loss. Ultimately, Intel ended up advising users not to install the available patch until more stable microcode updates were available.
The first of these arrived on 7 February, in the form of a Spectre firmware patch for Intel’s Skylake processors. In the meantime, Microsoft also released an emergency Windows patch that disables the fiawed Spectre fix, but that took the form of an optional update.
The bad news continues however, and it turns out that the patches could result in up to a 30 per cent performance hit. That’s because the patches enforce a new level of virtual isolation between the kernel and processor, so requests between the two have to take an even longer route.
That said, Intel says the extent of the slowdown depends on the workload in question and average PC users should not notice it. How old your PC is appears to matter too, and Microsoft says that users running 6th-, 7th-, and 8th-generation chips and Windows 10 should be relatively unaffected.
So… what’s the real solution?
While Meltdown can technically be mitigated with software updates, Spectre requires a complete hardware redesign in order to be properly resolved. Meltdown is the more talked about problem because Spectre is so much harder to execute, but that doesn’t mean that it can be ignored.
Speculative execution has been an important piece of processor design for over two decades, and it’s responsible for countless performance improvements. Manufacturers will now need to rethink the fundamentals of processor design, and you can be sure that the next generation of chips will be quite different at the hardware level.
The good news is that we may not have to wait that long for a solution. In January, Intel confirmed that silicon-based changes would begin appearing in chips this year.
PICTURES NATASCHA EIBL, 123RF