Liliputing

  • How To…
  • Mini PCs
  • Reviews
  • Deals
  • Shop
  • About
    • About Liliputing
    • Contact us
    • Advertise on Liliputing
    • Support Liliputing
    • Privacy Statement

Should you wait for Meltdown & Spectre-proof CPUs before buying a new PC or phone?

01/05/2018 at 11:39 AM by Brad Linder 27 Comments

This week we learned of major security vulnerabilities affecting nearly every current PC, server, and smartphone processor on the market as well as many released in the past decade or so.

The Meltdown vulnerability primarily affects Intel processors, although chips based on new ARM Cortex-A75 design are also impacted. AMD chips are considered safe from Meltdown. And thanks to software updates that are already rolling out, many PCs, servers, and mobile devices should be relatively safe from Meltdown attacks in the foreseeable future, although the patches could slow down performance in some cases.

Spectre attacks, on the other hand, could potentially affect Intel, AMD, and ARM processors. And they’re much harder to completely protect against via a software update. That hasn’t kept companies from trying, and the first round of Spectre mitigating updates are already rolling out. But to be fully protected against Spectre, chip makers might have to introduce new hardware that’s not vulnerable to these forms of attacks.

It’s not entirely clear if or when that will happen though, which raises the question: is now a bad time to buy a new computer or phone?

It’s also an awkward time to be asking that question. Next week we’ll see the launch of hundreds of new gadgets at the annual Consumer Electronics Show, and PC makers have already started unveiling new laptops, tablets, convertibles, and desktops ahead of the show, and all of them have chips that are susceptible to Meltdown and/or Spectre vulnerabilities… although software patches could mitigate some of the risk.

Intel seems confident that software updates are good enough. The company says the updates its releasing starting this week will render PCs and servers with Intel chips “immune” to both Meltdown and Spectre.

Security researchers aren’t as certain. While Apple, Google, Microsoft, and others are all rolling out software updates alongside Intel’s firmware updates that will help neutralize Meltdown, it’s unclear if the Spectre-oriented patches will prevent all forms of Spectre-related attacks.

And the Meltdown patches have a downside. While Intel, Google, and others claim that the performance impact is “negligible,” some tests show that computers with updated software perform certain tasks significantly more slowly.

While it’s nice to know that companies are doing their best to protect the billions of computing devices already in use, what about all those new machines set to hit the streets in 2018? You know, the ones that’ll be on display at CES 2018.

They’ll support all the same software patches as whatever hardware you’re currently using. But they don’t feature any major chip redesigns to protect them. And at this point it’s not clear if or when Intel or ARM will change the way it makes chips to protect them from these vulnerabilities.

Intel has told CNET that it will ship products later this year that incorporate some of the software-based mitigations directly in hardware. But if the software isn’t 100 percent effective, then the hardware changes might not be either.

One problem is that the vulnerabilities affect a feature called speculative execution which helps CPUs run more quickly. Disabling speculative execution would eliminate the issue, but it would also slow down performance. Intel and other chip makers will need to balance security and performance moving forward.


Another problem is that chips take years to design and manufacture. Even if Intel and other companies do decide to change their architecture to avoid Spectre and Meltdown vulnerabilities, it could take years before those chips reach the market… and it’d take many, many more years before businesses and individuals replaced all of their servers, PCs, and mobile devices with models featuring the new chips. So focusing on software fixes is an important approach.

The good news is that so far researchers aren’t away of any malware that uses a Spectre-based attack to steal data. And now that the vulnerability has been disclosed, we’re likely to see security researchers continue exploring additional ways it could be exploited… and continue patching those vulnerabilities as they’re discovered.

Still, I don’t blame anyone for looking at all the computers being announced this week and thinking “it looks nice, but why would I buy it if it’s still susceptible to Spectre.” But if you’re in the market for a new PC in the next year or two, you might not have any option other than one that’s vulnerable to Spectre-based attacks.

Earlier this week the Computer Emergency Response Team Coordination Center (CERT/CC) issued a security note suggesting that in addition to applying software updates, a solution was to “replace CPU hardware” because “the underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable hardware.”

Of course, complying with that suggestion would be difficult because there are no really good alternative CPUs. But CERT/CC has since changed its recommendation to say “operating system and some application updates mitigate these attacks.”

That’s likely due in part to updated information from chip makers, security researchers, and software developers.

The US-CERT site, however, still notes that while software updates will help, “the vulnerability exists in CPU architecture rather than in software,” so “patching may not fully address these vulnerabilities in all cases.”

It’s still early days though. While major tech companies have been aware of the vulnerabilities since June, they’ve only been disclosed to the public this week. That makes it a particularly awkward time for companies to announce new products that are vulnerable to these forms of attacks. But it’s not clear there ever would have been a good time to inform the public that most modern computing devices are vulnerable to a security exploit that’s difficult to protect against.

That said, these days there’s a good chance at least some of your data has been leaked in one data breach or another. Maybe we just have to accept that there’s a risk involved in using networked computing devices and we have to balance convenience with security.

Personally, I just bought a new laptop in late 2016, and while I’ve been tempted by the 40 percent performance boost that comes with Intel’s 8th-gen, quad-core laptop chips the Meltdown and Spectre vulnerabilities do make me a little more likely to hang onto this computer for at least another year or two so I can see if something more secure is available when I’m ready to upgrade. I’m not planning to throw out my PC… but I am starting to wonder if online banking is really such a good idea.

Update: Intel CEO Brian Krzanich says the company will begin shipping chips with in-silicon mitigations for the vulnerabilities this year, but there are a lot of unanswered questions about what that means. It’s unclear if we’re talking about a major chip redesign, or just updated microcode that incorporates the fixes Intel and its partners are already rolling out for existing systems.

Share this:

  • Facebook
  • Twitter
  • Google
  • Reddit
  • Email

Leave a Reply

27 Comments on "Should you wait for Meltdown & Spectre-proof CPUs before buying a new PC or phone?"

Login with
Facebook Google Twitter WordPress Yahoo! Disqus Reddit Stackoverflow GitHub
avatar
avatar
  Subscribe  
newest oldest most voted
Notify of
Dan
Guest
Dan
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

I don’t think it takes Nostradamus to forecast what’ll happen next. PC sales will take a hit, particularly Intel ones. The foremost question on every buyer’s lips will be “is your phone/PC susceptible to the Meltdown flaw”? Some will also lump Spectre into the same category.

No surprise that Intel CEO dumped most of his stocks, although I’m hoping he’ll get more than his hands slapped for insider trading.

Meanwhile, every geek will rev up his benchmark suites and we’ll know soon enough just how much perf loss this fiasco will exact, Intel’s and whoever’s assurance notwithstanding. As per Brad Linder, I’ll certainly put my buying decisions on hold until we get some clarity from this nightmare.

Vote Up13Vote Down  Reply
3 months ago
Interesting
Guest
Interesting
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

While I’d like to believe that this is what would happen, I suspect your Nostradamus skills are a little off. The reality is that 99% of PC& phone buyers don’t know or don’t care about this sort of thing. “It’s been patched, why are you still talking about this?”

“is your phone/PC susceptible to the Meltdown flaw” will only be a foremost question for 1% of potential buyers. That’s it. Apple will release a shiny new phone, and everyone will buy it like always. Beyond a hit this week, Intel’s stock likely won’t be affected at all.

Vote Up1Vote Down  Reply
3 months ago
Dan
Guest
Dan
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

>The reality is that 99% of PC& phone buyers don’t know or don’t care about this sort of thing.

You should read the news. It’s only on the front page of the New York Times, which isn’t exactly a tech rag. Not everybody is a geek, but the vast majority can spell “security breach” pretty well. The umpteenth major security debacles we’ve had in the past year have seen to that.

Vote Up1Vote Down  Reply
3 months ago
Brad Linder
Author
Brad Linder
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

The bigger problem is that for virtually every PC on the market, the answer will be “yes.”

So it’s not like you can just take your business elsewhere. And not buying a new PC at all isn’t really a solution either, since it’s not like your old model is safe.

I suppose releasing a Spectre-proof chip quickly could be a differentiating factor. But there’s a huge amount of time and money that goes into designing a new chip and everything set to launch in the next year or so was probably already under development when the vulnerability was discovered. Rushing something new to market or making major changes could just introduce new security holes.

There’s nothing good about this week’s announcements. But software solutions do seem to be the only solutions for the foreseeable future.

Vote Up2Vote Down  Reply
3 months ago
Dan
Guest
Dan
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.
>So it’s not like you can just take your business elsewhere. And not buying a new PC at all isn’t really a solution either You’ve already answered this in your own piece. Yes, most every PC is affected, while I may not be able to buy a non-flawed PC, I certainly can delay my buying for as long as I could. You said the same thing. Take your and my sentiment and multiply it by a few tens of million buyers, and see what happens to PC sales. We’ll see how blase the buying public treat this news. I think it’ll depend on the actual perf hit on everyday computing, something that as mentioned will be borned out by benchmark tests of before- and after-Meltdown/Spectre patch. The irony is that whatever Intel’s claim of perf increase for its newest wares may well be wiped out by the Meltdown slowdown. Again,… Read more »
Vote Up1Vote Down  Reply
3 months ago
donamor1
Member
donamor1
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

I am about to hit the deadline for returning a new laptop- but my cpu is an HQ- I believe a 14nm chip- don’t see it in list of vulnerable chips- could this be? I was hoping to wait for one of the recent announcements but if they may also be vulnerable..maybe I should just keep what i got.

Vote Up0Vote Down  Reply
3 months ago
Lex Barringer
Member
Lex Barringer
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.
Actually, they haven’t been all patched. The majority of the use cases and test suites show up as negative after the patch but when you patch, you make other holes, which then will need more patches, which create more holes. People will care if, they identity is compromised, their money from their accounts are depleted, etc. They don’t care about the bug but they care about what the bug can be used for after the fact and an exploit has been used on them and their hardware. Microsoft is holding off for the time being when it comes to updating with the patch after numerous people couldn’t boot while on an AMD based platform. As the patch works for the Intel but didn’t take AMD into account (or perhaps they did and wanted to further wound / punish AMD users). Many cases have been found that Windows 10 wouldn’t boot… Read more »
Vote Up-1Vote Down  Reply
3 months ago
guku
Guest
guku
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

I believe you are very wrong. People are more informed these days , and more people care about the security on devices that are connected to the internet.

Vote Up1Vote Down  Reply
2 months ago
Lex Barringer
Member
Lex Barringer
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.
The hands should be slapped with handcuffs. The same thing happened with the credit reporting bureau, Equifax before the data breach was made public, a bunch of them dumped their stock. That should be illegal for executives of a company to do that. What’s this sh*t about corporate responsibility? Oh, wait, it’s just a buzz phrase they use. Technically, it’s not insider trading. When they find out how bad it was going to be, the CEO dumps the stock before the news catches up with all the hub-bub of the unfortunate designs that allow these exploits to work. Spectre and Meltdown have been known about since November of last year. Now, if there was privileged information that the executives gave to private parties outside of the company, that held stock in Intel in regards to how bad something really is and the company will in deep trouble because of it;… Read more »
Vote Up2Vote Down  Reply
3 months ago
David Feig
Member
David Feig
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Hmm, I thought AMD should be more resistant to Meltdown and spectre would require physical access to the device. We’ll see if my investment in a dell ryzen 1800X system was a good idea (well I got it months ago)

Vote Up0Vote Down  Reply
3 months ago
Hifihedgehog
Guest
Hifihedgehog
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

AMD is completely unaffected by Meltdown and Google themselves have stated that unlike Intel, AMD has ”near-zero” vulnerability to Spectre.

Vote Up5Vote Down  Reply
3 months ago
Revue Escriptor
Guest
Revue Escriptor
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

The EULA in the patch would probably have language saying that we cant sue Intel if we agree to install the patch. Or no settlements if the patch is installed.

Vote Up3Vote Down  Reply
3 months ago
Kary
Guest
Kary
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

It would be nice if there were a bit more information about the differences between CPUs, like when the story first broke and they were distinguishing between Intel and AMD, but I’m thinking more about Qualcomm and it’s competitors for mobile devices.

Vote Up0Vote Down  Reply
3 months ago
ThornC
Guest
ThornC
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Most mobile devices these days use ARM architecture, which is then implemented by Qualcomm, Mediatek, Samsung, etc.
ARM has already stated which of their designs is impacted… https://developer.arm.com/support/security-update.
Basically only out-of-order designs (the ones with more performance)

Vote Up1Vote Down  Reply
3 months ago
Kary
Guest
Kary
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Thank you–that was very useful. Seemingly the Qualcomm 625 is not affected.

Vote Up0Vote Down  Reply
3 months ago
Tomm
Guest
Tomm
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Or buy Pi 😀

Vote Up2Vote Down  Reply
3 months ago
Brad Linder
Author
Brad Linder
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Funny, I just had the same thought: https://liliputing.com/2018/01/know-whats-not-affected-meltdown-spectre-raspberry-pi.html

Vote Up3Vote Down  Reply
3 months ago
Travis
Guest
Travis
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Time to build a Raspberry pi Kubernetes cluster for my home server needs

Vote Up1Vote Down  Reply
3 months ago
Muzigais
Member
Muzigais
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Typo:
“they’re MARCH harder “

Vote Up0Vote Down  Reply
3 months ago
Book Adams
Guest
Book Adams
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Been content with my Core2 Duo E8400 Shuttle pc after installing an SSD. Passmark of 2156 is snappy enough for what I do. Recent Intel NUCs remain a reliability nightmare, so was planning on a new low-watt Ryzen APU pc this year. Now Meltdown and Spectre. Money still burning a hole in my pocket but I’m going to now hug my trusty old Shuttle pc and stop looking for a replacement.

Liliputing and FanlessTech have been great…thanks Brad for all you do for us!

Vote Up0Vote Down  Reply
3 months ago
Izabela
Guest
Izabela
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

What I find unacceptable is how all the industry treats the users now. How the average user should protect their computers?I’ve been reading that following should be done: Update your operating system, Check for firmware updates, Update your browser, Keep your antivirus active. I’m fine with 3 of them but when it comes to firmware update I don’t understand a single word from Lenovo web. They even don’t have laptops listed. None of my friends understands either. We are average users, we paid for our laptops/tablets etc and Intel and others from industry who sold us faulty product should help people now to update and protect. Most of the people are not able to perform those actions and use patches. It should be legal requirement that Intel helps all of those who need it.

Vote Up4Vote Down  Reply
3 months ago
penguinx64
Guest
penguinx64
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

I think Meltdown is a marketing ploy by Intel. It’s like Microsoft saying ‘all of our previous products are vulnerable, but if you buy our new product you’ll be safe.’ Blah, blah, blah. I’ve heard that one before.

Vote Up-5Vote Down  Reply
3 months ago
Bob
Guest
Bob
Share On TwitterShare On Google
Click to flag and open «Comment Reporting» form. You can choose reporting category and send message to website administrator. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Why would anyone buy a new PC or laptop at the moment. Intel will obviously be working hard on a new chip design to address these issues. Once it launches does anyone seriously believe that the vulnerable architecture will continue to be supported. A shiny new 2018 PC will very quickly be redundant and have to be scrapped. I certainly will be waiting to upgrade.

Vote Up5Vote Down  Reply
3 months ago
Facebook Gplus Twitter YouTube RSS Patreon

Latest News

Google’s Crostini lets you run GNU/Linux apps on Chromebooks without enabling developer mode

Google’s Crostini lets you run GNU/Linux apps on Chromebooks without enabling developer mode

People have been running Ubuntu and other GNU/Linux distributions on Chromebooks … [Read More...]

Avira releases free Privacy Pal tool for Windows

Avira releases free Privacy Pal tool for Windows

Anti-virus company Avira's latest application isn't so much about protecting … [Read More...]

Next-gen iPhone SE with 4 inch screen rumored to launch in May

Next-gen iPhone SE with 4 inch screen rumored to launch in May

It's been more than two years since Apple released the original iPhone SE, a … [Read More...]

Deals

Deals of the Day (4-20-2018)

Deals of the Day (4-20-2018)

The Jackery Bolt is a portable battery with enough juice to recharge most … [Read More...]

Featured articles

Google’s 5 years of support for older Chromebooks is starting to be a problem

Google’s 5 years of support for older Chromebooks is starting to be a problem

When Google announced a few years ago that it would offer at least 5 years of … [Read More...]

Dell XPS 13 (2018) review: Sleeker, faster, better (mostly)

Dell XPS 13 (2018) review: Sleeker, faster, better (mostly)

These days slim bezels are all the rage in smartphones and laptops alike. But … [Read More...]

What’s new in Android P? (Developer Preview 1 is now available)

What’s new in Android P? (Developer Preview 1 is now available)

The next major version of Google Android is coming later this year, but … [Read More...]

Support Liliputing

Liliputing’s primary sources of revenue are advertising and affiliate links (if you click the “Shop” button at the top of the page and buy something on Amazon, for example, we’ll get a small commission).

But there are several ways you can support the site directly even if you’re using an ad blocker and hate online shopping.

Contribute via PayPal

  • donate monthly
  • donate once only
Select a Donation Option (USD)
Enter Donation Amount (USD)

Subscribe via Patreon

Become a Patron!

Disclosure: Some links on this page are monetized by Skimlinks and Amazon's and eBay's affiliate programs.

Login

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Copyright © 2018 Liliputing · Go to top of page

sponsored
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.