This week we learned of major security vulnerabilities affecting nearly every current PC, server, and smartphone processor on the market as well as many released in the past decade or so.
The Meltdown vulnerability primarily affects Intel processors, although chips based on new ARM Cortex-A75 design are also impacted. AMD chips are considered safe from Meltdown. And thanks to software updates that are already rolling out, many PCs, servers, and mobile devices should be relatively safe from Meltdown attacks in the foreseeable future, although the patches could slow down performance in some cases.
Spectre attacks, on the other hand, could potentially affect Intel, AMD, and ARM processors. And they’re much harder to completely protect against via a software update. That hasn’t kept companies from trying, and the first round of Spectre mitigating updates are already rolling out. But to be fully protected against Spectre, chip makers might have to introduce new hardware that’s not vulnerable to these forms of attacks.
It’s not entirely clear if or when that will happen though, which raises the question: is now a bad time to buy a new computer or phone?
It’s also an awkward time to be asking that question. Next week we’ll see the launch of hundreds of new gadgets at the annual Consumer Electronics Show, and PC makers have already started unveiling new laptops, tablets, convertibles, and desktops ahead of the show, and all of them have chips that are susceptible to Meltdown and/or Spectre vulnerabilities… although software patches could mitigate some of the risk.
Intel seems confident that software updates are good enough. The company says the updates its releasing starting this week will render PCs and servers with Intel chips “immune” to both Meltdown and Spectre.
Security researchers aren’t as certain. While Apple, Google, Microsoft, and others are all rolling out software updates alongside Intel’s firmware updates that will help neutralize Meltdown, it’s unclear if the Spectre-oriented patches will prevent all forms of Spectre-related attacks.
And the Meltdown patches have a downside. While Intel, Google, and others claim that the performance impact is “negligible,” some tests show that computers with updated software perform certain tasks significantly more slowly.
While it’s nice to know that companies are doing their best to protect the billions of computing devices already in use, what about all those new machines set to hit the streets in 2018? You know, the ones that’ll be on display at CES 2018.
They’ll support all the same software patches as whatever hardware you’re currently using. But they don’t feature any major chip redesigns to protect them. And at this point it’s not clear if or when Intel or ARM will change the way it makes chips to protect them from these vulnerabilities.
Intel has told CNET that it will ship products later this year that incorporate some of the software-based mitigations directly in hardware. But if the software isn’t 100 percent effective, then the hardware changes might not be either.
One problem is that the vulnerabilities affect a feature called speculative execution which helps CPUs run more quickly. Disabling speculative execution would eliminate the issue, but it would also slow down performance. Intel and other chip makers will need to balance security and performance moving forward.
Another problem is that chips take years to design and manufacture. Even if Intel and other companies do decide to change their architecture to avoid Spectre and Meltdown vulnerabilities, it could take years before those chips reach the market… and it’d take many, many more years before businesses and individuals replaced all of their servers, PCs, and mobile devices with models featuring the new chips. So focusing on software fixes is an important approach.
The good news is that so far researchers aren’t away of any malware that uses a Spectre-based attack to steal data. And now that the vulnerability has been disclosed, we’re likely to see security researchers continue exploring additional ways it could be exploited… and continue patching those vulnerabilities as they’re discovered.
Still, I don’t blame anyone for looking at all the computers being announced this week and thinking “it looks nice, but why would I buy it if it’s still susceptible to Spectre.” But if you’re in the market for a new PC in the next year or two, you might not have any option other than one that’s vulnerable to Spectre-based attacks.
Earlier this week the Computer Emergency Response Team Coordination Center (CERT/CC) issued a security note suggesting that in addition to applying software updates, a solution was to “replace CPU hardware” because “the underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable hardware.”
Of course, complying with that suggestion would be difficult because there are no really good alternative CPUs. But CERT/CC has since changed its recommendation to say “operating system and some application updates mitigate these attacks.”
That’s likely due in part to updated information from chip makers, security researchers, and software developers.
The US-CERT site, however, still notes that while software updates will help, “the vulnerability exists in CPU architecture rather than in software,” so “patching may not fully address these vulnerabilities in all cases.”
It’s still early days though. While major tech companies have been aware of the vulnerabilities since June, they’ve only been disclosed to the public this week. That makes it a particularly awkward time for companies to announce new products that are vulnerable to these forms of attacks. But it’s not clear there ever would have been a good time to inform the public that most modern computing devices are vulnerable to a security exploit that’s difficult to protect against.
That said, these days there’s a good chance at least some of your data has been leaked in one data breach or another. Maybe we just have to accept that there’s a risk involved in using networked computing devices and we have to balance convenience with security.
Personally, I just bought a new laptop in late 2016, and while I’ve been tempted by the 40 percent performance boost that comes with Intel’s 8th-gen, quad-core laptop chips the Meltdown and Spectre vulnerabilities do make me a little more likely to hang onto this computer for at least another year or two so I can see if something more secure is available when I’m ready to upgrade. I’m not planning to throw out my PC… but I am starting to wonder if online banking is really such a good idea.
Update: Intel CEO Brian Krzanich says the company will begin shipping chips with in-silicon mitigations for the vulnerabilities this year, but there are a lot of unanswered questions about what that means. It’s unclear if we’re talking about a major chip redesign, or just updated microcode that incorporates the fixes Intel and its partners are already rolling out for existing systems.