“MELTDOWN” and “SPECTRE” CPU Security Vulnerabilities – All you need to know!

Recently, a collection of security loopholes have being found within Computer CPUs, mostly in relation to the Intel. Above, you can see a list of the 6 major brands of CPUs (Central Processing Unit), and we can pretty much guarantee that the device you’re reading this post on, contains one of them. However, depending on which one your device does contain, could mean you’re device could be vulnerable to a collection of security flaws which could compromise data on your machines.

Don’t get us wrong, security flaws, viruses, etc, happen all the time on a daily basis, however, typically, a virus affects the software within a Computer Operating System environment, meaning, as an example, a Windows PC only would be affected, and in most cases a clean install could even fix the problem, if not simply an Anti-virus security definition update. However, these two reported CPU flaws affect the actual CPUs themselves, by having the ability to get right in to the CPU in questions, base RAM management, so you can imagine, it’s far more serious, and makes these problems Operating System agnostic!

TO READ ABOUT THE CODENAMED “SPECTRE” SECURITY FLAW, YOU CAN SCROLL DOWN

MELTDOWN

The first, and most serious, security flaw that’s being detected and rushed to be patched, is codenamed “MELTDOWN”. This is a pretty serious security flaw which affects ALL Computers, regardless of Windows, macOS, ChromeOS, Linux etc, which feature ANY Intel CPU made in the last decade! We’re talking anything from the Intel Core Duo series back in 2006-7, to the latest Coffee-Lake CPUs!

To over-symplify the problem, any normal user level programs on your Computer was discovered to have unauthorised access to the protected memory kernel within your Intel processor. For those unfamiliar, the kernel in your CPU is responsible for EVERYTHING within your Computer, in relation to running tasks, making tasks run and stopping them, and this goes far beyond simply opening a program, we’re talking background tasks as well. The possibilities of what this security flaw could impose is beyond what even the imagination could come up with, it’s that serious.

Proposed patch “KAISER”, and it’s performance implications!

As you’d expect, Intel, as well as Microsoft and it’s OEMs, as well as Apple, were pretty quick on creating some form of quick patch for the security loophole, and some have released. Microsoft have been testing a security fix on Preview builds of Windows 10, and have begun rolling out the same patch to their Surface devices, with other PC OEMs likely to follow. Apple have recently confirmed their Mac systems are affected as well, because of course they are, they run Intel CPUs, and have already issued an update to macOS High Sierra with the similar fix. Google have also issued a fix for ChromeOS devices as well!

So, what’s the problem, it’s been fixed right? Well…

Yep, that’s right. The quick fix for the security flaw affecting all Intel processors from the past decade is expected to cause Performance degradation, and in some cases far from slight performance degradation, we’re talking anywhere from a, granted hard to notice, 5% on some systems, to a whopping 30% loss in CPU performance until a more permanent fix can be found for the problem!

Now, considering some of the systems affected by this are far beyond their Software Security support, it’s likely a collection of Computers will be left unfixed by this problem as well, as well as some older systems facing the prospect of that steep performance drop, ouch!

Despite this, we do recommend you install the patches, which have already being provided by Apple to Macs running Sierra and High Sierra (we hope they extend that back), as well as the patches Microsoft and Intel claim should be hitting the majority (90%) of Windows based PCs by ‘the end of the week’. This isn’t a great fix, in relation to drop in performance, but trust us, it’s far better than having the potential security problems this could cause!

Likely outcome to this problem!

Whilst the majority of users will obviously wish to look after number one, it’s worth noting the incredible impact this could have on the Internet as we know it! It’s not just users running Computers with Intel processors, servers as well run them too, typically the Xeon architecture. Just put this in to perspective, imaging if Amazon Web Services (AWS), which powers the majority of the Internet including streaming services like Netflix or BBC iPlayer, was to get hit by that larger estimated drop in performance, we’re all going to be affected! The outcome of that, slower services, users complain, the big companies turn to the server companies like Amazon, Microsoft or Google, who them turn to Intel, and you can only imagine the temptation of a Class Action Lawsuit!

This could be incredibly hard hitting for Intel, especially considering the company is expected to have known about this problem for quite some time, we’re talking just past half of 2017, so pretty serious. It’s worth noting that the majority of programs to be hardest hit by the performance fix will be Networking and Database programs, so, like we said, Web services, Data centres.

Systems UNAFFECTED by this Security Flaw

The MELTDOWN security flaw literally only affects Intel based CPUs created over the past decade. This means if you’re running a Desktop PC with an AMD CPU, whether that’s an old Athlon to the latest Ryzen series, you are completely free of this security problem and don’t need to worry.

PCs running ARM processors are also unaffected as well, processors from the likes of Qualcomm, which have begun appearing on Windows 10 PCs won’t be affected by MELTDOWN either.

STATEMENT BY INTEL ON MELTDOWN

Intel has issued a statement confirming the issue is present, and the work and direct links to issue patches on your systems, which you can find right here!

It’s also worth noting, AMD also issued a statement showing how they’re not affected by the MELTDOWN issue, that you find here!

Google also issued a statement to let users know of potential slowdowns in cloud services due to fixes made.

SPECTRE

No, we’re not talking about the latest James Bond film, which like most Daniel Craig ones was a disappointment, we’re talking about ANOTHER codenamed security flaw codenamed “SPECTRE”. Unlike, MELTDOWN, SPECTRE isn’t anywhere near as hard hitting, but if we were to present that same list of CPUs running on Computers and Mobile Devices and were to add a red tick box to those affected by SPECTRE, well, see for yourself;

Yeah, it’s the lot of them. However, whilst, sure Intel has two to deal with, whilst AMD, PowerPC and the myriad of ARM processors are ALL affected by the SPECTRE bug, it’s worth noting this is a far less serious bug, firstly because no vulnerabilities have yet been discovered as a result of noted Security flaw, that’s not to say they won’t, but also the fact that SPECTRE is a far more difficult flaw to become executed as it demands far more manual granular control by the user administrative side.

Both Google and Amazon have confirmed neither of their Home Speaker devices, or basic accessories such as Google Home, Amazon Elexa or Chromecast and Fire Sticks, are affected at all by SPECTRE, likely due to those devices lack of CPU command base memory, though when it comes to more or less everything else should you be worried?

Supposed fixes, and when to expect them!

Like with MELTDOWN, SPECTRE was known about for a while, be it not as long, which, again, makes it disappointing it’s not being more investigated, but the most serious side of SPECTRE is that a full blown fix, at least for right now, is actually not possible! That’s not to say you will be remaining in the dark, preventive measures are being issued as fixes to hopefully rectify any future attack taking advantage of the SPECTRE security bug. The slightly good news, is, none of these fixes will impact performance of your devices.

Below is a list of OS providers and when they claim the preventive measures to tackle SPECTRE will be executed;

Microsoft Windows

Unlike the KAISER fix, expected to fix the MELTDOWN bug, Microsoft are still testing fixes for the SPECTRE vulnerability, again, through it’s Preview program. The company confirmed they are working with Intel, AMD and ARM Holdings to issue a fix as soon as possible, though have stated users should receive fixes to help protect them against the reported vulnerabilities this coming Tuesday, commonly referred to as “Patch Tuesday” by the Windows community.

Apple macOS

Whilst Apple have issued a patch to help fix the MELTDOWN bug, when it comes to the SPECTRE bug, Apple have been less transparent. Though the company has advised that users download Applications only from Trusted Sources, this is referring to how macOS System Preferences prevents installation of Applications not featuring an authorisation certificate from Apple. Users can still install these apps, though Apple is recommending users not to as a precaution whilst fixes are being worked on to work around the SPECTRE problem.

Apple iOS

Whilst mobile devices are far less affected by the SPECTRE vulnerability, by design. ARM Processors are still at risk from the flaw, and this does include Apple’s A series of chips found in iPhones, iPads and iPod touch. Apple has claimed, like with macOS, a work around fix will be issued to all iOS devices in the next iOS update.

Google Chrome OS

Google confirmed in their Security Blog, that users running Chrome OS, or the Chrome browser on any Desktop Operating System supported, can expect a fix in the coming days for the SPECTRE and MELTDOWN vulnerabilities. Due to Chrome OS running Android apps within a Sandbox style environment, Google literally only needs to protect the browser.

Google Android

Despite what the majority of News stations would have you believe, the SPECTRE flaw does affect, Intel, Qualcomm and Exynos based Android devices. Google, however, have confirmed that all Android users will have the necessary protection against the SPECTRE flaw in the January Security Update, which has already hit the companies Pixel branded devices, but based on the severity of the problem, will likely hit other Android OEMs quicker than it previously would do. Google claims, once the January Security Update is installed, users should be protected from any future problems created by a SPECTRE attack.

Linux / UNIX

Probably the more difficult to call, will be users running distributions of Linux or fellow UNIX operating systems. Whilst Intel and AMD will be issuing CPU driver fixes for all operating systems over time, there’s no real way to tell when the fixes will come to Linux based operation systems, to which we’d recommend checking the source of your Linux distribution very closely on whether a fix is either in the works, or to be updated soon. A proposed fix was released for some Linux distributions codenamed “Forcefully Unmap Complete Kernel With Interrupt Trampolines”, which whilst delivers equivalents of the fixes provided by other software companies, also offers a rather interesting acronym.

To summarise

Whilst the chance of you facing an attack from either MELTDOWN or SPECTRE are greatly unlikely, the severity of the vulnerabilities and why they’ve being reported the level that they have is mainly due to just how many systems they impact.

As we mentioned in our post, the MELTDOWN issue impacting Intel CPUs is the most serious and the one which both needs patching as soon as possible, and then needs a fix to aid the performance drop due to the quick fix being implemented.

The SPECTRE bug isn’t as serious in terms of a security impact, though it’s important to note that this vulnerability is due to the way CPUs are factory designed! This will likely affect, and, potentially, delay, future iterations of CPUs by Intel, AMD and ARM companies throughout 2018. The SPECTRE flaw is mostly a Desktop issue, however, as, like MELTDOWN, it relies on Spreadsheet and Command levels being accessible by the user facing Operating System UI.

We will likely update this post, should any future vulnerabilities be found in relation to those discussed, though for now, that’s all you need to know.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close