Pixel Envy

Written by Nick Heer.

Researchers Discover Three Major Security Flaws in CPUs

Cade Metz and Nicole Perlroth of the New York Times have what is perhaps the best high-level summary of the flaws:

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of a computer. There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.

[…]

According to the researchers, including security experts at Google and various academic institutions, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

The other flaw, Spectre, affects most other processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix [for] it.

Though there are two names, there are three flaws in total: CVE-2017-5754 is Meltdown, while CVE-2017-5753 and CVE-2017-5715 are, collectively, known as Spectre. If you want to see the effects of these bugs, Michael Schwarz — one of the researchers who discovered Meltdown — posted a short demonstration.

A 30% performance hit for Meltdown patches sounds pretty rough, but initial reports from some of the first patches indicates that there’s little to no noticeable difference. Microsoft updated their Azure cloud hosting service and isn’t generally seeing performance degradation, and I haven’t noticed any differences after updating to MacOS 10.13.2 and subsequently 10.13.3, both of which include fixes for Meltdown.

Chris Duckett, ZDNet:

While there have been concerns that patching the flaw could hit performance by a double-digit percentage, Linus Torvalds told ZDNet it will depend on workload.

“I think 5 percent for a load with a noticeable kernel component (eg, a database) is roughly in the right ballpark,” he said. “But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation.”

In addition, modern JavaScript engines run very close to the metal — as it were — and it’s possible to trigger an attack using similar vulnerabilities with a malicious webpage. Google has promised a Chrome update within a few weeks with a patch.

There’s an official website answering many questions you may have about these bugs, with now-de rigeuer logos attached to major security flaws.

Update: Brian Krebs:

Leaving aside the brilliance of the people that found this Intel bug, may I submit that perhaps coining threat names and invoking cute icons is a gratuitous and disingenuous way to get people to care about an impossibly arcane flaw that they in all likelihood can’t do much about?

I’ve flitted between whether giving bugs names and logos is helpful or harmful. The KRACK WiFi bug was disclosed on the same day last year as a potentially more harmful flaw in the RSA encryption library, but the latter didn’t have a catchy name:

I get why security researchers are dialling up the campaigns behind major vulnerabilities. CVE numbers aren’t interesting or explanatory, and the explanations that are attached are esoteric and precise, but not very helpful for less-technical readers. A catchy name gives a vulnerability — or, in this case, a set of vulnerabilities — an identity, helps educate consumers about the risks of having unpatched software, and gives researchers an opportunity to take public credit for their work. But, I think the histrionics that increasingly come with these vulnerabilities somewhat cheapens their effect, and potentially allows other very serious exploits to escape public attention.

In this case, these are very serious bugs: it’s possible to exploit them in relatively passive ways, the effects can be very damaging, and — as far as Spectre goes — there’s no way to fix it without a complete change in processor design. If these bugs had remained as CVE numbers, it’s unlikely that many people outside of the computer security world would know about them.

But does that matter? As far as I can figure out, there’s no proof that these branding efforts encourage consumers or software vendors to update their software any quicker. And, as noted above, there’s nothing consumers can do about the Spectre vulnerabilities until they buy a new computer or phone — and perhaps not for another generation or two. The branding of vulnerabilities has, absolutely, made the efforts of security researchers more notable, and there is a reasonable argument to be made for the value of that; it also makes everyone more aware that the technology they rely upon is not as secure as we want to believe it is.

Update: Contrary to some of the reporting above, Intel says that Meltdown and Spectre can be patched with software and firmware updates.