Just after a bright and hopeful ringing in of the New Year, January 2nd, 2018 came with an amazing, yet terrifying, report of two major processor (CPU) security vulnerabilities that affect virtually every computing device. The two CPU flaws – dubbed Meltdown and Spectre – are reported to affect CPU chips manufactured within the past 10 years by Intel, AMD, and ARM holdings. However, as more and more R&D and triage is being reported, it looks like Intel is truly the major owner and inventor of these processor bugs. And these bugs sting; if you are a user of a desktop, laptop, tablet, smartphone, cloud service, etc, you are potentially vulnerable (which includes everybody).
As we all should know by now, a decade in the world of tech and computing might as well mean a Millennia. Let’s take a few minutes and dive into Meltdown and Spectre and learn what’s to come as vendors scramble to make and push updates to our precious computing devices.
Why did this this happen and why is Spectre and Meltdown important?
During their CPU design process, Intel implemented a few ways to gain performance without solely relying on a faster CPU clock speed. If the reported 10 year bug timeline is true, Intel implemented these “advancements” during the 2006-2007 Core Single, Core Duo and Core2Duo releases of their landmark processor lines. Wow. I have personally owned 8 desktops, 4 laptops and 4 mobile phones during those years – all of which riddled with these dangerous processor bugs.
Spectre is the main threat because it is present in billions of devices. Meltdown appears to affect only Intel chips, leaving AMD, ARM and RaspberryPI devices untouched.
For sake of your sanity and ours, we are going to keep the nerdy, technical details of CPU design out of this article. However!
- The really smart folks over at raspberrypi.org have an amazing read which details the performance features – caching and speculative execution – and how the bugs work in scalar and superscaler processors.
- John Leyden and Chris Williams at The Register did a great piece on January 2nd in their reporting on Spectre and Meltdown. Well worth the time.
How do Spectre and Meltdown affect me?
What’s really the impact? It’s been tested and reported that these vulnerabilities and bugs allow access to all your data on your computing device. A hacker could deploy malware via an email, network, virus and boom, your data is ALL theirs!
We expect that most-to-all software and hardware vendors will be providing patches to remove these CPU bugs in either the format of software, operating system or firmware updates. However, removing these bugs subsequently also will remove the performance enhancements!
Earlier in the week, Intel reported in its January 4th presser that the major industry players (Microsoft, Apple, Google and Amazon) noticed a negligible affect on performance (if any at all). Those statements are directly refuted by some of the reports from users, professionals and other news outlets who are showing performance DROPS of 5% to 50% depending on the application! Wow.
The folks over at RedHat Linux report 2-12% decrease in CPU performance based on application.
What you can do to secure your devices against Spectre and Meltdown.
Get those updates friends – unfortunately, that is all you can do right now. You are at the mercy of the vendors until we learn more information. You can’t just buy a new CPU, phone or tablet as even the latest on the shelves are still affected by Spectre and Meltdown CPU bugs.
As a general rule of thumb, be aware of the websites you visit, software you install and places you frequent online. Reduce your attack vector from malware and viruses that may be lurking waiting in the shadows to exploit a Spectre or Meltdown vulnerability.
What does Spectre and Meltdown mean for all of us going forward?
Performance: An unfortunate downside of the software and firmware updates is that they may slow your computer, tablet and mobile devices depending on what applications your running.
Updates: Your in for a lot of updates over the coming weeks. Keep up on the updates and keep installing them.
Security going forward: Security and computing is always evolving. We learn every day of a new threat, bug or exploit. See our article on Security fatigue to keep a level head and keep those updates installed!
Buying a new PC, Phone or other Device: Our opinion is that Intel, AMD, ARM and RaspberryPI will be more considerate and cautious going into the next rounds of their CPU design. Maybe they won’t trade off security for performance gains. If you are thinking about buying a new computing device it may pay off to wait until the next generation of processors are released and tested.
Be safe out there.
Photo by Jeremy A.A. Knight