Happy New Year!
By now you’ve heard about Meltdown and Spectre, the two new CPU vulnerabilities that are getting 24/7 airtime on every news channel.
This is going to really hurt Intel, as it essentially means that a 2 GHz processor is going to effectively run at 1.4 GHz after it’s patched. A 4 GHz processor is going to effectively run at 2.8 GHz. That’s the kind of performance hit that hard-core gamers and industry professionals are waking up to today, and will encourage many to consider alternative CPUs in the future. Unfortunately, while the one issue (Meltdown) only applies to Intel CPUs the other one (Spectre) affects almost every CPU that has been tested.
Meltdown and Spectre are two separate design flaws in the CPUs that mismanage how access to memory handles are controlled. Older hardware and operating systems will never be patched to address these vulnerabilities, and the patches that are currently being pushed for the Intel (Meltdown) flaw have a very high failure rate (as much as 20% for some hardware) often resulting in unbootable devices. My advice is to wait a few days for other people to be the guinea pigs, then install the updates after you get the all clear.
Neither of these affects only Windows. The vulnerabilities are hardware-based, but the current workarounds for them are being pushed into the operating systems to prevent them from being abused.
Meltdown affects every Intel CPU available today, which means that while many Windows computers are affected, every supported Mac is impacted (they’re all using Intel CPUs), and phones and other devices that use Intel chips are vulnerable as well.
Spectre affects just about everything. If your vendor isn’t supporting the device anymore, it will never be patched and the device can never be secured. Every computer hosting every website is affected. Every server. Every phone, tablet, desktop and laptop in the world is affected by at least one of these vulnerabilities. It seems that the only devices immune are certain security devices (dongles) or devices with very limited capabilities. If it can run software, it’s vulnerable.
If you’re a stock market enthusiast this is a good time to invest in mobile hardware vendors – wait a week or so for people to start bailing out in fear and the price to drop. Then buy their ignorance and in a year you’ll be thanking me. There may not be an immediate return, but as chips are released in the next 8-18 months that resolve these problems, security-minded companies and governments will be buying in bulk to replace every single device they currently employ. Talk about a huge surge in purchases later this year. 🙂
I don’t put a lot of stock in what anyone from the government says, so I will defer to the Intel VP who says that the “unfixable” Spectre flaw can be resolved with a firmware update on most supported devices. I assume the same is true for other vendor chips affected by Spectre. Unfortunately, this means it’s still going to be a long-tail fix, since firmware updates can take months to be released for each supported chip and years to be fully addressed, and unsupported hardware will never be fixed. The Intel SA-00086 vulnerability (initially reported in February 2017), for example, which impacts the last 4 full generations of Intel CPUs still has not received patches for most currently supported hardware. Likewise, it’s quite unlikely that Spectre will be fully addressed on existing supported hardware within the next couple years.
Replacing your device isn’t a solution, either, since hardware that isn’t vulnerable simply doesn’t exist yet. We need to hope that operating system vendors will correctly and fully address these problems on current hardware in the very near future.
Now for the good news
If you’re maintaining your devices – installing operating system, application and driver updates, and you’re removing outdated and unused software, and you’re not installing untrusted third party applications that are either unmaintainable or unsecureable, and you have not been installing “bad” programs (warez, fake, or malicious) – then your computer is really at no greater risk today than it was last week. Both of these vulnerabilities require an evil application to be run on your device to be exploited. They are not remote exploits that automatically bypass the other security precautions you may have in place (unlike SA-00086). Remove everything you don’t want or need on your device, don’t install untrusted apps, don’t ever click “yes” in a popup without reading it and understanding the implications, and you’ll probably be OK. Really.
For anyone else that’s not already using my service: If you don’t want to do this all by yourself – let me.