Meltdown and Spectre: the great processor disaster
As a computer scientist, I deal with security vulnerabilities on a daily basis since the perfect operating system has just not been found yet - but this time I almost spilled my tea when I read the news. This issue was different and it affected the core of all computer calculations: the processor itself. And it wasn't just any processor that was vulnerable but practically all of them whether they were built into PCs, cellphones or servers all over the world. This time, the remedy wasn't a simple browser patch. Every operating system had become unsafe taking the wind right out of the sails of Apple users who like to point their fingers at the supposedly inferior security of Windows systems. They were all in danger. Even those who owned none of the CPUs listed couldn't just sit back and relax because the servers that host and process all of our data could also be affected. Read on to learn what happened and how manufacturers are dealing with the dire situation.
It all started with a good idea. To optimize processor performance, CPUs were designed to not only process currently required instructions but also predict and perform potential future calculations to save processing time (speculative execution). Picture a restaurant that has many regular customers. The cook already knows what they'll order so many meals can be prepared in advance. If, however, customers decide to change their order, the pre-made dishes have to be disposed of. Unfortunately, the garbage container isn't properly secured. Or maybe the no longer needed dish is taken by an unauthorized busboy or busgirl and it takes the cook a while to notice this mistake leaving them time to figure out the ingredients. Another option would be tricking the cook into preparing specific meals for later and trying to observe how they're made. Your processor operates in a similar fashion and pre-loads data, including sensitive information like passwords, for potential later use. If left unused, this data then ends up in the trash.
Historically, there was little incentive to specially secure the garbage dump as, back in the day, computers were isolated units in dedicated storage racks without sophisticated networking. That has changed drastically! Meltdown, which so far has mainly affected Intel chips, can be mitigated through software updates but only certain exploitations of Spectre can be stopped in this manner. Spectre affects potentially all processors and may ultimately require a hardware redesign to be fixed. In both cases malicious code has to be slipped onto the target machine, e.g. through email attachments or browser-based malware. If successful, the consequences would be disastrous as, according to Michael Schwarz from the Graz University of Technology, attackers would then be able to read and see everything that's happening on the PC including all user input.
Intel, AMD and ARM reportedly already knew about these vulnerability some 6 months ago which may explain why Intel CEO Brian Krzanich felt the need to sell every company share he could get his hands on back in November 2017 (some speculative execution on his part I guess)! It took a while for details on the actual threat and affected processors to come out and they were overshadowed by the usual appeasement tactics. But with continued research, more and more processors ended up on the blacklist. Hardware giant Intel was just the beginning. In the mobile space, the list now includes Qualcomm as well as ARM, whose chip designs are featured in almost all cellphones and tablets. AMD claims to be less affected (some researchers doubt this) but they're still rolling out updates. Roughly speaking, we may be talking about billions of affected devices. Apparently, the vulnerability has been around and built into processors since 1995 despite all later developments.
A lot is still unclear including whether there have been any actual attacks. What is unsettling though is that nobody would have noticed since they would have been untraceable for past and current security mechanisms. Skeptics have their doubts whether secret services really remained completely inactive since they've also known about the issue for months. Some experts even believe this was meant as a deliberate backdoor to circumvent common security mechanisms like passwords and encryption but that's mere speculation. What is clear is that criminals all over the world will now be trying to exploit these vulnerabilities hoping that devices will either receive late updates or no updates at all. Malware attacks like Wannacry and others have shown that even PCs in public institutions and companies are hopelessly outdated and insufficiently maintained. What will happen to the millions of Android cellphones that feature Qualcomm processors and outdated operating systems is anybody's guess.
So what can you do now? The Computer Emergency Response Team (CERT), often advisor to the US Department of Defense and the Department of Homeland Security, has put it quite frankly: immediately install all available updates and, if possible, replace the processor. The latter is not only expensive and requires some skill but there are also hardly any suitable alternatives available! All that's left is to ensure you're running the latest versions of your operating system, browsers and security software. This update hassle may not only cost you nerves but also system performance, however. After some reports claimed performance drops of up to 30%, it is now believed they will be somewhere in the range between 2% and 10%. Reason enough for many to file class action suits. Even so, you should still install patches as soon as they come out. The coming months will likely shed more light on this issue so stay tuned.
What I would like to know: how do you rate the manufacturers' current actions? Are you experiencing update issues as reported in some forums?
Right in the nick of time, Microsoft has released a checking routine that reveals whether your PC is vulnerable. Unfortunately, it's a script-like approach that requires a lot of manual fiddling which is why we've built Ashampoo Spectre Meltdown CPU Checker around it. The program requires no registration or installation and is free. You can find it here: Ashampoo Spectre Meltdown CPU Checker.If you receive an error that Powershell is missing, you’ll have to do things the hard way and enter everything manually. See here for details.
Here’s a tip for Windows 7 and Windows 8 users. You may need to install Windows Management Framework 5.1 if you don’t have it already. Get it here: https://www.microsoft.com/en-us/download/details.aspx?id=54616.