Meltdown, Spectre CPU bugs threaten devices worldwide
4 January 2018 | 0
Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues – dubbed Meltdown and Spectre – exist in the CPU hardware itself, Windows, Linux, Android, Macs, Chromebooks, and other operating systems all need to protect against it. And worse, it appears that plugging the hole will negatively affect your PC’s performance.
Everyday home users shouldn’t panic too much, though. Just apply the latest operating system updates and keep your antivirus software vigilant, as ever.
Here’s a high-level look at what you need to know about Meltdown and Spectre, in plain language. If you want a deep-dive into the technical details, be sure to read Google’s post on the CPU vulnerabilities. We’ve updated this article repeatedly as new information becomes available.
It is hard to dive too technically into the issue, as major hardware and software vendors are working together quietly to fix the kernel issue before making the vulnerability public. But The Register’s reporting and comments on patch code coming in hot to the Linux kernel – with details redacted to obscure the exact nature of the vulnerability – give us insight into issue.
Here is a high-level look at what we know so far about the Intel CPU kernel bug affecting Linux, Windows, and presumably Macs. Expect it to be updated repeatedly as the problem becomes more clear.
Intel processor kernel bug FAQ
(Editor’s note: This article was updated to include comments from an Intel statement about the kernel exploit and its performance concerns throughout.)
The bug in play here is extremely technical, but in a nutshell, the chip’s kernel is leaking memory, which could lead to extremely sensitive data being exposed to apps and hackers, or make it easier for attackers to inject malware into your PC.
Intel says that “these exploits do not have the potential to corrupt, modify or delete data,” though simply being able to read the contents of protected kernel memory could give attackers access to your passwords, login keys, and much more.
What’s a kernel?
The kernel inside a chip is basically an invisible process that facilitates the way apps and functions work on your computer. It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.”
How do I know if my PC is at risk?
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “zero” and “near zero” risk to the two known Spectre variants because of the way its chip architecture is designed.
A Linux kernel patch is also being prepared for 64-bit ARM processors. Details are murky, though a statement from Intel says that “many types of computing devices – with many different vendors’ processors and operating systems – are susceptible to these exploits.”
So if it’s a chip problem, then the chip makers need to fix it?
Yes and no. While CPU manufacturers will surely address the problem in future chips, the fix for PCs in the wild needs to come from the OS manufacturer, as a microcode update won’t be able to properly repair it.
Linux developers are working furiously to address the flaw in a new kernel update. Microsoft is expected to patch the problem during its Patch Tuesday updates on 9 January, after testing it on recently released Windows Insider preview builds. That timeline appears to have been corroborated by Intel’s statement, which says, “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”
I use a Mac, so I’m OK, right?
Not this time. The vulnerability here affects all Intel x86 chips, so that means Macs are at risk too. However, Apple quietly protected against the exploit is macOS 10.13.2, which released on 6 December, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.
So, what can I do?
Not much besides updating your PC when a fix becomes available. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime – advice that Intel also stresses.
Do you know when a fix will come?
It’s already here for Windows, Mac, and Chromebook users.
Microsoft pushed out a Windows update protecting against Meltdown on 3 January, the day that the CPU exploits hit headlines. Updates issued outside of Microsoft’s monthly “Patch Tuesdays” are rare, underlining the severity of this issue.
Apple quietly protected against Meltdown in macOS High Sierra 10.13.2, which released on 6 December, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.
Linux developers are working furiously to address the flaw in a new kernel update.
Chromebooks received protection in Chrome OS 63, which released on December 15. Furthermore, the Chrome Web browser itself was updated to include an opt-in experimental feature called ‘site isolation‘ that can help guard against Spectre attacks. Site isolation is trickier on mobile devices; Google warns that it can create “functionality and performance issues” in Android, and since Chrome on iOS is forced to use Apple’s WKWebView, Spectre protections on that platform need to come from Apple itself. Chrome 64 will include more mitigations.
Mozilla is taking steps to protect against Spectre as well. Firefox 57 released in November with some initial safeguards.
So once the fix arrives, it’s OK?
Well, the operating system patches will plug the risk of Meltdown, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.
How much slower will my Intel PC become?
More recent Intel processors from the Haswell (fourth-gen) era onward have a technology called PCID (Process-Context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications – most notably virtualisation tasks and data centre/cloud workloads – are affected more than others. The Register says “we’re looking at a ballpark figure of five to 30% slow down, depending on the task and the processor model.” Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users.
“Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.
“It will depend heavily on the hardware too,” he continued. “Older CPUs without PCID will be impacted more by the isolation. And I think some of the back-ports won’t take advantage of PCID even on newer hardware.”
Michael Larabel, the open source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.
Your mileage will, indeed, vary, it seems. Keep in mind that Phoronix’s testing was conducted on a non-final release, and that the Linux and Windows kernels are two very different beasts, so do not treat these as a locked-in look at what to expect from the eventual fixes for the Intel x86 kernel bug. We won’t know the full extent of the slowdown on Windows and macOS machines until a patch lands.
IDG News Service