Nearly every modern processor has security flaws that potentially could allow hackers to steal data from any computer or server. The two related problems, code-named Meltdown and Spectre, have the technology industry in a tizzy and spilled over to the mainsteam press a few days ago. They are difficult to fix and alarming to read about. According to the New York Times, “The two problems could allow hackers to steal the entire memory contents of computers . . . The software patch needed to fix (Meltdown) could slow down computers by as much as 30 percent . . .”
If you are a non-technical computer user, this is what you need to know.
1) Don’t panic.
2) These problems don’t affect you directly.
3) Your Windows or Mac computer is either already patched to fix these problems enough to keep you safe or you will get a patch within a few days. Microsoft’s patch is scheduled to be installed this week on Patch Tuesday.
4) Your computer won’t slow down “by as much as 30%.” That doesn’t apply to your Windows or Mac computer. You won’t notice any difference when your computer is patched.
5) No bad guys are exploiting these flaws yet. As of today, there are no known attacks in the hands of bad guys.
Feeling better? Good. Now that you’re relaxed, here’s the non-technical explanation of what’s going on.
Twenty years ago Intel made a fundamental decision about how to design its processors. Every processor since 1995’s Pentium Pro includes a routine to speed things up. It’s so fundamental that most other processors are also built the same way; some aspects of these flaws also apply to processors from AMD, Qualcomm, and ARM. At the moment all the attention is on Intel, partially because one of the flaws is unique to Intel’s designs, but mostly because Intel processors run more than 90% of the world’s servers.
Researchers have discovered a couple of ways to read information from caches in the processor. This requires deeply technical, difficult work! But there are some highly trained technicians out there who are capable of figuring this out. Some of them are security researchers, some of them are bad guys. There’s a very deep fear that bad guys will discover how to exploit these flaws now that they know the broad technical outline of what’s possible.
If you’re interested in the technical details of the processor design and the security flaws, I recommend Peter Bright’s article for Ars Technica. Let’s just agree that speculative execution can permit information leakage from kernel data and leave it at that, okay?
Remember, the basic processor architecture involved in these flaws is twenty years old. Six months ago Google’s security research team notified Intel that they had discovered methods of attacking processors and stealing data at a very deep level, bypassing virtually every security mechanism. In the next few months, three other teams of researchers also reported the flaws to Intel – completely independently and by coincidence. Wired Magazine has an interesting article about coincidental security discoveries – referred to as “bug collisions” – and the possibility that these flaws may already have been known to government agencies like the NSA. (There’s no evidence of that but it’s hard not to be paranoid when we know that the NSA works hard to discover unknown security flaws and keep them secret.)
All of the companies affected by these problems have been working on them secretly for the last six months. They intended to make a unified public disclosure this week. Any hope of a coordinated response disappeared when The Register wrote an article last week and spilled the beans early.
These problems basically don’t affect individual computer users. The industry is buzzing because these problems affect all the servers in the world, including all the servers that run cloud services and SQL databases and virtual machines. The fixes worked on so far cause performance issues for servers, including potentially severe performance degradation for Linux servers, which run a huge percentage of our enterprises and cloud services. That’s where the potential “30 percent slowdown” comes from, and that’s really bad news. It’s worse news that one of the flaws, Spectre, does not yet have any straightforward fix. It’s possible that developers will spend the next few years finding ways to mitigate the Spectre threat. Any known security threat to servers is a bit terrifying. We’re talking about the systems that hold all your data online; the servers that run our airlines and hospitals and power grids and governments; the servers that run every company in the world. Even a tiny risk that information can be stolen from servers is enough to cause every IT security person to lose sleep.
The Meltdown and Spectre problems are so deep-seated that they have been worked on for the last six months from three different directions.
• The chip manufacturers (Intel, ARM, and AMD) are frantically working on fixes that will likely range from firmware and microcode updates to a complete redesign of new processors going forward. (Computer manufacturers will have a role in that kind of deep update. Microsoft and HP are already issuing BIOS updates for some of their laptops.)
• Operating system companies have been working on patches to fix the aspects of these flaws that can be addressed at an OS level. Microsoft (Windows), Apple (iOS, MacOS), and Google (Android, ChromeOS) are all either updated or getting updates this week. Programmers are working on updates to the Linux kernel. More updates will likely be released in response over the next few months.
• Cloud service providers like Amazon AWS are scrambling to install updates and minimize performance hits.
Our world is filled with scary things. Meltdown and Spectre are alarming and we haven’t heard the end of them, but IT security researchers have many, many reasons to know that we’re all doomed. These are just the latest things in the news. Don’t worry about them as an individual computer user. Worry about all the other ways that the bad guys can steal your stuff and harm your computers. Keep your computers up to date, follow the Rules For Computer And Online Safety and be careful out there!