Yesterday, a report suggested that there was a design flaw in Intel CPUs that posed a serious security risk. Turns out, that report was only based on partial information and things are more serious than that. As things stand right now, every modern PC released in the last decade features a critical security flaw that requires a redesign of the CPU microarchitecture to be fixed.
With Microsoft, Google and other major OEMs rushing in to fix the problem, the implications of these security risk are unlikely to affect your daily computing life. However, there is a lot going on in the background that you definitely need to be aware of.
Q) The initial report claimed only Intel CPUs were affected. What has changed since then? How many exploits are there?
A) The initial report was based on partial information. That specific bug, which is being called ‘Meltdown,’ only affects Intel CPUs released in the last decade. However, another design flaw has also been revealed since then which puts processors from AMD and ARM at risk which is being called ‘Spectre.’ This essentially means that all devices released in the last decade and featuring an AMD, Intel or ARM processor are at risk.
Q) What do Meltdown and Spectre exploits actually do?
A) Below is how Google’s Project Zero team explains it:
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
And a slightly simpler explanation with real-world implications from Google:
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
Make sure to also read the twitter thread below to get a quick overview on Meltdown and Spectre.
2. Christmas didn't come for the computer security industry this year. A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
— Nicole Perlroth (@nicoleperlroth) January 3, 2018
Q) So, will AMD CPUs also take a performance hit due to the exploit being patched?
A) This is unclear for now. And even on Intel CPUs, the performance hit is less than 5 percent which is going to be barely noticeable.
Q) What is AMD’s official stance on this?
A) AMD says that its processors are not affected by any of the vulnerabilities detected and they believe there is a “near zero risk.”
To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.
Q) Should I defer my plan to buy a new Mac or computing device for now?
A) No. While serious, Intel, Google, and other major tech companies are already working to fix these exploits.
Q) Which poses a significant security risk: Meltdown or Spectre?
A) The Meltdown exploits affecting Intel CPUs poses a more serious security risk than Spectre. It can be exploited by anyone with basic script knowledge. However, Intel, Linux, and other OEMs already have a patch for Meltdown dubbed KAISER which is being rolled out or will soon be rolled out to all devices. This will lead to a small performance hit but benchmarks show the difference to be only around 2-3 percent. Spectre is hard to take advantage of but it is also more difficult to fix and will require a change in microprocessor design.
Q) Who discovered these issues first?
A) Meltdown was discovered independently by security researchers from the Technical University of Graz in Austria; Cerberus Security — a German security firm; and Google’s Project Zero team. As for Spectre, it was discovered by independent researcher Paul Kocher and Project Zero team. The flaws were originally discovered in June and a full public disclosure was scheduled for next week.
Q) What about iPhones, iPad, and Apple Watch?
A) Apple has not confirmed anything at this point so its tough to say if its A-series chipsets are affected by the two exploits or not. However, if one goes through the list of ARM processors affected by Spectre, it is possible that Apple’s custom designed A-series chips are affected by it as well.
Q) What about ARM processors which power most Android devices and other consumer devices?
A) In its official statement, ARM says that majority of its processors are not affected by Meltdown or Spectre. However, a quick look at the chart makes it clear that major ARM processors used in smartphones like the Cortex-A72, A73, A57, and A75 are all vulnerable to the Spectre exploit.
Q) Are Android devices also affected by Meltdown and Spectre?
A) Yes, they are.
Q) How does all this affect my daily computing needs?
A) With all major tech giants working behind the scene to patch these exploits as soon as possible, Meltdown and Spectre are unlikely to affect your daily computing needs. Microsoft is on the verge of rolling out updates to patch the exploit for Windows 10 PCs while patches have already been merged in the Linux kernel to fix them as well. Major cloud computing providers like Amazon and Microsoft will be conducting maintenance on their services sometime soon to patch the exploit as well. Google has already patched the exploit on its Cloud infrastructure.
Q) What about macOS? Has Apple issued any statement regarding these exploits?
A) While Apple has not issued any statement regarding Meltdown and Spectre, the company seems to have already patched the exploits with macOS 10.13.2.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63
— Alex Ionescu (@aionescu) January 3, 2018
The implications and steps taken by major tech giants related to Meltdown and Spectre will only be clear over the following weeks as they roll out updates to patch the exploits. However, one thing is for sure: these exploits will lead Intel, AMD and ARM to make some fundamental changes to their microprocessor designs.