This week we learned of major security vulnerabilities affecting nearly every current PC, server, and smartphone processor on the market as well as many released in the past decade or so.
The Meltdown vulnerability primarily affects Intel processors, although chips based on new ARM Cortex-A75 design are also impacted. AMD chips are considered safe from Meltdown. And thanks to software updates that are already rolling out, many PCs, servers, and mobile devices should be relatively safe from Meltdown attacks in the foreseeable future, although the patches could slow down performance in some cases.
Spectre attacks, on the other hand, could potentially affect Intel, AMD, and ARM processors. And they’re much harder to completely protect against via a software update. That hasn’t kept companies from trying, and the first round of Spectre mitigating updates are already rolling out. But to be fully protected against Spectre, chip makers might have to introduce new hardware that’s not vulnerable to these forms of attacks.
It’s not entirely clear if or when that will happen though, which raises the question: is now a bad time to buy a new computer or phone?
It’s also an awkward time to be asking that question. Next week we’ll see the launch of hundreds of new gadgets at the annual Consumer Electronics Show, and PC makers have already started unveiling new laptops, tablets, convertibles, and desktops ahead of the show, and all of them have chips that are susceptible to Meltdown and/or Spectre vulnerabilities… although software patches could mitigate some of the risk.
Intel seems confident that software updates are good enough. The company says the updates its releasing starting this week will render PCs and servers with Intel chips “immune” to both Meltdown and Spectre.
Security researchers aren’t as certain. While Apple, Google, Microsoft, and others are all rolling out software updates alongside Intel’s firmware updates that will help neutralize Meltdown, it’s unclear if the Spectre-oriented patches will prevent all forms of Spectre-related attacks.
And the Meltdown patches have a downside. While Intel, Google, and others claim that the performance impact is “negligible,” some tests show that computers with updated software perform certain tasks significantly more slowly.
While it’s nice to know that companies are doing their best to protect the billions of computing devices already in use, what about all those new machines set to hit the streets in 2018? You know, the ones that’ll be on display at CES 2018.
They’ll support all the same software patches as whatever hardware you’re currently using. But they don’t feature any major chip redesigns to protect them. And at this point it’s not clear if or when Intel or ARM will change the way it makes chips to protect them from these vulnerabilities.
Intel has told CNET that it will ship products later this year that incorporate some of the software-based mitigations directly in hardware. But if the software isn’t 100 percent effective, then the hardware changes might not be either.
One problem is that the vulnerabilities affect a feature called speculative execution which helps CPUs run more quickly. Disabling speculative execution would eliminate the issue, but it would also slow down performance. Intel and other chip makers will need to balance security and performance moving forward.
Another problem is that chips take years to design and manufacture. Even if Intel and other companies do decide to change their architecture to avoid Spectre and Meltdown vulnerabilities, it could take years before those chips reach the market… and it’d take many, many more years before businesses and individuals replaced all of their servers, PCs, and mobile devices with models featuring the new chips. So focusing on software fixes is an important approach.
The good news is that so far researchers aren’t away of any malware that uses a Spectre-based attack to steal data. And now that the vulnerability has been disclosed, we’re likely to see security researchers continue exploring additional ways it could be exploited… and continue patching those vulnerabilities as they’re discovered.
Still, I don’t blame anyone for looking at all the computers being announced this week and thinking “it looks nice, but why would I buy it if it’s still susceptible to Spectre.” But if you’re in the market for a new PC in the next year or two, you might not have any option other than one that’s vulnerable to Spectre-based attacks.
Earlier this week the Computer Emergency Response Team Coordination Center (CERT/CC) issued a security note suggesting that in addition to applying software updates, a solution was to “replace CPU hardware” because “the underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable hardware.”
Of course, complying with that suggestion would be difficult because there are no really good alternative CPUs. But CERT/CC has since changed its recommendation to say “operating system and some application updates mitigate these attacks.”
That’s likely due in part to updated information from chip makers, security researchers, and software developers.
The US-CERT site, however, still notes that while software updates will help, “the vulnerability exists in CPU architecture rather than in software,” so “patching may not fully address these vulnerabilities in all cases.”
It’s still early days though. While major tech companies have been aware of the vulnerabilities since June, they’ve only been disclosed to the public this week. That makes it a particularly awkward time for companies to announce new products that are vulnerable to these forms of attacks. But it’s not clear there ever would have been a good time to inform the public that most modern computing devices are vulnerable to a security exploit that’s difficult to protect against.
That said, these days there’s a good chance at least some of your data has been leaked in one data breach or another. Maybe we just have to accept that there’s a risk involved in using networked computing devices and we have to balance convenience with security.
Personally, I just bought a new laptop in late 2016, and while I’ve been tempted by the 40 percent performance boost that comes with Intel’s 8th-gen, quad-core laptop chips the Meltdown and Spectre vulnerabilities do make me a little more likely to hang onto this computer for at least another year or two so I can see if something more secure is available when I’m ready to upgrade. I’m not planning to throw out my PC… but I am starting to wonder if online banking is really such a good idea.
Update: Intel CEO Brian Krzanich says the company will begin shipping chips with in-silicon mitigations for the vulnerabilities this year, but there are a lot of unanswered questions about what that means. It’s unclear if we’re talking about a major chip redesign, or just updated microcode that incorporates the fixes Intel and its partners are already rolling out for existing systems.
I don’t think it takes Nostradamus to forecast what’ll happen next. PC sales will take a hit, particularly Intel ones. The foremost question on every buyer’s lips will be “is your phone/PC susceptible to the Meltdown flaw”? Some will also lump Spectre into the same category.
No surprise that Intel CEO dumped most of his stocks, although I’m hoping he’ll get more than his hands slapped for insider trading.
Meanwhile, every geek will rev up his benchmark suites and we’ll know soon enough just how much perf loss this fiasco will exact, Intel’s and whoever’s assurance notwithstanding. As per Brad Linder, I’ll certainly put my buying decisions on hold until we get some clarity from this nightmare.
The hands should be slapped with handcuffs. The same thing happened with the credit reporting bureau, Equifax before the data breach was made public, a bunch of them dumped their stock. That should be illegal for executives of a company to do that. What’s this sh*t about corporate responsibility? Oh, wait, it’s just a buzz phrase they use. Technically, it’s not insider trading. When they find out how bad it was going to be, the CEO dumps the stock before the news catches up with all the hub-bub of the unfortunate designs that allow these exploits to work. Spectre and Meltdown have been known about since November of last year. Now, if there was privileged information that the executives gave to private parties outside of the company, that held stock in Intel in regards to how bad something really is and the company will in deep trouble because of it;… Read more »
While I’d like to believe that this is what would happen, I suspect your Nostradamus skills are a little off. The reality is that 99% of PC& phone buyers don’t know or don’t care about this sort of thing. “It’s been patched, why are you still talking about this?”
“is your phone/PC susceptible to the Meltdown flaw” will only be a foremost question for 1% of potential buyers. That’s it. Apple will release a shiny new phone, and everyone will buy it like always. Beyond a hit this week, Intel’s stock likely won’t be affected at all.
I believe you are very wrong. People are more informed these days , and more people care about the security on devices that are connected to the internet.
Actually, they haven’t been all patched. The majority of the use cases and test suites show up as negative after the patch but when you patch, you make other holes, which then will need more patches, which create more holes. People will care if, they identity is compromised, their money from their accounts are depleted, etc. They don’t care about the bug but they care about what the bug can be used for after the fact and an exploit has been used on them and their hardware. Microsoft is holding off for the time being when it comes to updating with the patch after numerous people couldn’t boot while on an AMD based platform. As the patch works for the Intel but didn’t take AMD into account (or perhaps they did and wanted to further wound / punish AMD users). Many cases have been found that Windows 10 wouldn’t boot… Read more »
>The reality is that 99% of PC& phone buyers don’t know or don’t care about this sort of thing.
You should read the news. It’s only on the front page of the New York Times, which isn’t exactly a tech rag. Not everybody is a geek, but the vast majority can spell “security breach” pretty well. The umpteenth major security debacles we’ve had in the past year have seen to that.
The bigger problem is that for virtually every PC on the market, the answer will be “yes.”
So it’s not like you can just take your business elsewhere. And not buying a new PC at all isn’t really a solution either, since it’s not like your old model is safe.
I suppose releasing a Spectre-proof chip quickly could be a differentiating factor. But there’s a huge amount of time and money that goes into designing a new chip and everything set to launch in the next year or so was probably already under development when the vulnerability was discovered. Rushing something new to market or making major changes could just introduce new security holes.
There’s nothing good about this week’s announcements. But software solutions do seem to be the only solutions for the foreseeable future.
I am about to hit the deadline for returning a new laptop- but my cpu is an HQ- I believe a 14nm chip- don’t see it in list of vulnerable chips- could this be? I was hoping to wait for one of the recent announcements but if they may also be vulnerable..maybe I should just keep what i got.
>So it’s not like you can just take your business elsewhere. And not buying a new PC at all isn’t really a solution either You’ve already answered this in your own piece. Yes, most every PC is affected, while I may not be able to buy a non-flawed PC, I certainly can delay my buying for as long as I could. You said the same thing. Take your and my sentiment and multiply it by a few tens of million buyers, and see what happens to PC sales. We’ll see how blase the buying public treat this news. I think it’ll depend on the actual perf hit on everyday computing, something that as mentioned will be borned out by benchmark tests of before- and after-Meltdown/Spectre patch. The irony is that whatever Intel’s claim of perf increase for its newest wares may well be wiped out by the Meltdown slowdown. Again,… Read more »
Hmm, I thought AMD should be more resistant to Meltdown and spectre would require physical access to the device. We’ll see if my investment in a dell ryzen 1800X system was a good idea (well I got it months ago)
AMD is completely unaffected by Meltdown and Google themselves have stated that unlike Intel, AMD has ”near-zero” vulnerability to Spectre.
The EULA in the patch would probably have language saying that we cant sue Intel if we agree to install the patch. Or no settlements if the patch is installed.
It would be nice if there were a bit more information about the differences between CPUs, like when the story first broke and they were distinguishing between Intel and AMD, but I’m thinking more about Qualcomm and it’s competitors for mobile devices.
Most mobile devices these days use ARM architecture, which is then implemented by Qualcomm, Mediatek, Samsung, etc.
ARM has already stated which of their designs is impacted… https://developer.arm.com/support/security-update.
Basically only out-of-order designs (the ones with more performance)
Thank you–that was very useful. Seemingly the Qualcomm 625 is not affected.
Or buy Pi 😀
Funny, I just had the same thought: https://liliputing.com/2018/01/know-whats-not-affected-meltdown-spectre-raspberry-pi.html
Time to build a Raspberry pi Kubernetes cluster for my home server needs
Typo:
“they’re MARCH harder “
Been content with my Core2 Duo E8400 Shuttle pc after installing an SSD. Passmark of 2156 is snappy enough for what I do. Recent Intel NUCs remain a reliability nightmare, so was planning on a new low-watt Ryzen APU pc this year. Now Meltdown and Spectre. Money still burning a hole in my pocket but I’m going to now hug my trusty old Shuttle pc and stop looking for a replacement.
Liliputing and FanlessTech have been great…thanks Brad for all you do for us!
What I find unacceptable is how all the industry treats the users now. How the average user should protect their computers?I’ve been reading that following should be done: Update your operating system, Check for firmware updates, Update your browser, Keep your antivirus active. I’m fine with 3 of them but when it comes to firmware update I don’t understand a single word from Lenovo web. They even don’t have laptops listed. None of my friends understands either. We are average users, we paid for our laptops/tablets etc and Intel and others from industry who sold us faulty product should help people now to update and protect. Most of the people are not able to perform those actions and use patches. It should be legal requirement that Intel helps all of those who need it.
I think Meltdown is a marketing ploy by Intel. It’s like Microsoft saying ‘all of our previous products are vulnerable, but if you buy our new product you’ll be safe.’ Blah, blah, blah. I’ve heard that one before.
Why would anyone buy a new PC or laptop at the moment. Intel will obviously be working hard on a new chip design to address these issues. Once it launches does anyone seriously believe that the vulnerable architecture will continue to be supported. A shiny new 2018 PC will very quickly be redundant and have to be scrapped. I certainly will be waiting to upgrade.