LOADING

Spectre and Meltdown – what are they and what does this mean?


Scott Quilter 19th Jan 2018

By prioritising processor speed and power over security, the chip industry has been hit by 2 large scale vulnerabilities being confirmed. Although no known attack has used these vulnerabilities, if utilised, they could compromise most modern technologies unless the way chips are used by their operating systems is drastically changed.

What are these 2 x Vulnerabilities?

Meltdown

“Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system), impacts Intel and Qualcomm processors, and one type of ARM chip. Intel has released firmware patches for its processors, and has been working with numerous manufacturers, like Apple and HP to distribute them. Intel has also coordinated with operating system developers to distribute software-level mitigations. Patches are already out for recent versions of Windows, Android, macOS, iOS, Chrome OS, and Linux.”

Spectre 

“The other bug, Spectre, involves two known attack strategies so far, and is far more difficult to patch. (And in fact, it may be impossible to defend against it entirely in the long term without updating hardware.) It affects processors from IntelARMAMD, and Qualcomm. Browsers like Chrome, Firefox, and Edge/Internet Explorer all have preliminary Spectre patches, as do some operating systems. Apple has also (as of 9th January) released a Supplementary update for MacOS and Safari. These patches lessen the risk of an exploit being found but investigations are still being made by hardware manufacturers to see if it can be stopped without replacing of actual hardware. More news and details of the Spectre bug come to light each day and we will advise our customers once we know more.”

As the patches that are currently available are still in their infancy and still need refining, they may block the vulnerability but in the process, there is a noticeable hit on device performance. At the moment, the speed consequences of patching these bugs has been significant enough to elicit attention, gripes and moans. To be clear, we here at CETSAT (along with all others in the I.T. industry) highly recommend you install the CPU security bug patches as soon as possible. While most casual desktop users and gamers won't notice any prolonged slowdown, or any performance hit at all, people running IO or system-call intensive software, such as large Excel documents, databases including MS Access, or any large-scale Graphics and Video editing suites may well notice the difference.

To keep our customers as secure as possible we are already in the process of rolling out these patches to all devices as and when they are made available (from the vendors and software providers) after confirming they have been tested thoroughly – this will happen silently in the background.

More and more updated versions of patches are being discovered, but all involve rewriting how the processor in your computer processes and access data so these patches will take time for them to get performance close to what it was before. This could take months or even years of work to redevelop all operating systems to work in this new way. Modern Processor Chips will be made differently too to try and obliterate the risk of these vulnerabilities every being used.

PCID

If there's a bright side to all this, it's that the PCID feature in Intel's x86-64 chips since 2010 can reduce the performance hit from patching Meltdown. (This is not supported on 32 bit machines) – Operating Systems are being tweaked and changed to use this feature on existing chips and new chips to try and reduce the impact on computer performance and things will only get better with time and latest releases.

To Summarise 

Using as little jargon as possible;

  • Chip manufacturers got it wrong exposing all modern tech to two nasty vulnerabilities called Meltdown and Spectre
  • Machines need patches to stop the risk, these patches mean the way computers work is completely different and more secure but most importantly noticeably slower
  • Vendors and Programmers are working hard to make these patches have less impact on people’s machines
  • Machines will get faster but this will take time

If you have any questions at all please do not hesitate to contact us.