It’s been about two weeks since the Spectre and Meltdown CPU flaws were revealed to the world, and we now have a better picture of the scope and impact of those flaws.
Intel CPU chips are vulnerable to both Spectre and Meltdown: almost every Intel CPU made since 1995 is affected. AMD CPUs are vulnerable to Spectre, and ARM CPUs, found in millions of mobile and IoT devices, are vulnerable to Meltdown.
Spectre variant 1 and Meltdown have been patched in Windows, macOS, iOS, Android, and Linux. So far, these updates don’t seem to have affected performance on those platforms.
Spectre variant 2 can only be fixed with a firmware update, which will be optional on most platforms, but also seems likely to result in reduced performance. Firmware updates are more difficult to install than software updates. The task should not be undertaken by casual users, since mistakes can result in ‘bricked’ (unusable) devices. One possible exception is Linux, which in some cases allows for updates to be read from a file during startup, eliminating the need for updating firmware.
Intel is making available firmware updates that will hopefully eliminate the threat on affected computers, but — as Microsoft has demonstrated — many of those computers will be slowed significantly by the updates. Intel is downplaying the performance impact, saying that many users won’t even notice the difference.
Microsoft estimates the performance impact of firmware updates on Windows computers with Intel processors will vary depending on:
- CPU: Haswell and older will be affected more
- O/S version: Windows 7 and 8 will be affected more than Windows 10
- I/O bound servers could be affected greatly (Microsoft may recommend avoiding the firmware updates in this case)
Unfortunately, many PC and device makers first learned of the CPU flaws when the rest of us did: on January 3. While Intel, Microsoft, and the other major players knew about the problem months earlier, less high-profile companies are now scrambling to develop firmware updates for their devices. Most are concentrating on their most recent models, and may never release updates for older devices. For example, as of January 21, the Asus web site does not show any recent firmware updates for my Asus M70AD PC. Millions of other devices seem likely to remain permanently vulnerable to Spectre 2.
The Spectre and Meltdown flaws are very deep inside the internal hardware of almost all computers. This makes them very unusual: more difficult to fix, and potentially very dangerous. Even worse, many Internet of Things devices use affected chips; these devices are usually difficult (if not impossible) to update, and may never be fixed.
The vulnerabilities were discovered in early June 2017, and disclosed privately to CPU chip makers first, then to O/S makers, browser makers, cloud and server providers. Some arguably important groups were left out, including CERT, but despite disclosure being handled responsibly, the news leaked out ahead of schedule on January 4. A lot of work had already been done, but hardly anyone was truly ready.
Intel’s response to the flaws in their CPUs has been criticized by some, and it does seem that the chip giant is not being completely transparent. Intel continues to downplay the seriousness of the flaws, and the performance impact of firmware updates. It’s also fair to ask whether in the rush to increase processor speed, security is being neglected by Intel and the other chip makers. The Spectre and Meltdown flaws should arguably have been caught in development.
What are the actual risks involved?
A malicious process on your computer could read data from another process (such as your banking app) and send it to anyone. This kind of exploit has been demonstrated as effective, and it can even be accomplished using specially-crafted Javascript code on a web site.
A malicious process on a web-based service, server, or virtual machine could read data from another process on that machine or a virtual machine that’s controlled by someone else.
Risks going forward: this has all been rushed (despite some advance warning), and the changes are at the core of CPUs and O/S kernels. Emergency fixes have a way of causing new, hidden problems. We will probably be dealing with the fallout from these flaws for months.
Update 2018Jan23: Intel is now telling us to avoid earlier firmware updates while they work on new updates that (hopefully) avoid rebooting issues on computers running Haswell and Broadwell CPUs. Meanwhile, there’s some strong language coming from Linus Torvalds (Linux’s creator) about the quality of the firmware fixes coming from Intel.