News

It varies widely de­pend­ing on your hard­ware, op­er­at­ing sys­tem, and work­load.

PCWorld (USA) - - Contents - BY BRAD CHACOS and MICHAEL SI­MON

Mas­sive se­cu­rity vul­ner­a­bil­i­ties in mod­ern CPUS are forc­ing a re­design of the ker­nel software at the heart of all ma­jor op­er­at­ing sys­tems. Since the is­sues— dubbed Melt­down and Spec­tre—ex­ist in the CPU hard­ware it­self, Win­dows, Linux, An­droid, macos, IOS, Chrome­books, and other op­er­at­ing sys­tems all need to pro­tect against it. And worse, plug­ging the hole can neg­a­tively af­fect your PC’S per­for­mance.

Ev­ery­day home users shouldn’t panic too much though. Just ap­ply all avail­able up­dates and keep your an­tivirus software vig­i­lant ( go.pc­world.com/anti), as ever. If you want to dive right into the ac­tion with­out all

the back­ground in­for­ma­tion, we’ve also cre­ated a fo­cused guide on how to pro­tect your PC against Melt­down and Spec­tre ( go.pc­world.com/prtc).

Here’s a high-level look at what you need to know about Melt­down and Spec­tre ( go.pc­world.com/melt), in plain lan­guage. Be sure to read Google’s post on the CPU vul­ner­a­bil­i­ties if you like div­ing deep into tech­ni­cal de­tails ( go.pc­world.com/gopo).

MELT­DOWN AND SPEC­TRE CPU FLAW FAQ

Edi­tor’s note: This ar­ti­cle was most re­cently up­dated to men­tion CPU patches caus­ing re­boots in In­tel sys­tems, and Gib­son Re­search’s In­spec­tre CPU tool, which can tell you if your PC is pro­tected against th­ese flaws. Mi­crosoft has also patched its patch for AMD sys­tems, which had pre­vi­ously left them un­able to boot.

GIVE IT TO ME STRAIGHT— WHAT’S THE IS­SUE HERE?

Again, the CPU ex­ploits in play here are ex­tremely tech­ni­cal, but in a nut­shell, the ex­ploit al­lows ac­cess to your op­er­at­ing sys­tem’s sacro­sanct ker­nel mem­ory be­cause of how the pro­ces­sors han­dle “spec­u­la­tive ex­e­cu­tion” ( go.pc­world.com/5pec), which mod­ern chips per­form to in­crease per­for­mance. An at­tacker can ex­ploit th­ese CPU vul­ner­a­bil­i­ties to ex­pose ex­tremely sen­si­tive data in the pro­tected ker­nel mem­ory, in­clud­ing pass­words, cryp­to­graphic keys, per­sonal pho­tos, emails, or any other data on your PC.

Melt­down is the more se­ri­ous ex­ploit, and the one that op­er­at­ing sys­tems are rush­ing to fix. It “breaks the most fun­da­men­tal iso­la­tion be­tween user ap­pli­ca­tions and the op­er­at­ing sys­tem,” ac­cord­ing to Google. This flaw most strongly af­fects In­tel pro­ces­sors be­cause of the ag­gres­sive way they han­dle spec­u­la­tive ex­e­cu­tion, though a few ARM cores ( go. pc­world.com/armc) are also sus­cep­ti­ble.

Spec­tre af­fects AMD and ARM pro­ces­sors as well as In­tel CPUS, which means mo­bile de­vices are also at risk. (We have a sep­a­rate FAQ on how Spec­tre af­fects phones and tablets [ go.pc­world.com/sefq].) There may be no per­ma­nent hard­ware so­lu­tion to Spec­tre, which “tricks other ap­pli­ca­tions into ac­cess­ing ar­bi­trary lo­ca­tions in their mem­ory.” Pro­ces­sor firmware up­dates can mit­i­gate the

is­sue to some de­gree. Software also needs to be hard­ened to guard against it.

WHAT’S A KER­NEL?

The ker­nel in­side your op­er­at­ing sys­tem is ba­si­cally an in­vis­i­ble process that fa­cil­i­tates the way apps and func­tions work on your com­puter, talk­ing di­rectly to the hard­ware. It has com­plete ac­cess to your op­er­at­ing sys­tem, with the high­est pos­si­ble level of per­mis­sions. Stan­dard software has much more limited ac­cess. Here’s how The Reg­is­ter ( go.pc­world.com/rgst) puts it: “Think of the ker­nel as God sit­ting on a cloud, look­ing down on Earth. It’s there, and no nor­mal be­ing can see it, yet they can pray to it.”

HOW DO I KNOW IF MY PC IS AT RISK?

Short an­swer: It is. Yes, even if it’s a Mac ( go. pc­world.com/shrt).

Google says “ef­fec­tively ev­ery” In­tel pro­ces­sor re­leased since 1995 is vul­ner­a­ble to Melt­down, re­gard­less of the OS you’re run­ning or whether you have a desk­top or lap­top. (You can find a full list of af­fected In­tel pro­ces­sors in this ar­ti­cle [ go.pc­world. com/l1st].)

AMD pro­ces­sors aren’t af­fected by the Melt­down bug. But chips from In­tel, AMD, and ARM are sus­cep­ti­ble to Spec­tre at­tacks. AMD says ( go. pc­world.com/amds) its hard­ware has “near zero” risk to one Spec­tre vari­ant be­cause of the way its chip ar­chi­tec­ture is de­signed, but AMD CPUS can still fall prey to an­other Spec­tre flaw.

Un­sure if you’re al­ready pro­tected against Melt­down and Spec­tre? Gib­son Re­search’s easy-peasy, free In­spec­tre tool ( go.pc­world. com/fr55) lets you know if you’ve al­ready in­stalled the nec­es­sary op­er­at­ing sys­tem and pro­ces­sor up­dates on your com­puter.

HOW DO I STAY SAFE?

Up­date all the things. The en­tire com­puter in­dus­try is mov­ing as quickly as pos­si­ble to patch in Melt­down and Spec­tre pro­tec­tions. Right now, you should up­date your op­er­at­ing

sys­tem, CPU firmware (if avail­able), and web browser pronto. We’ve cre­ated a sep­a­rate guide to stay­ing safe from Melt­down and Spec­tre at­tacks ( go.pc­world.com/atks) if you need more in-depth help.

Def­i­nitely make sure you’re run­ning se­cu­rity software as well—ad­vice that In­tel also stresses. No known Melt­down and Spec­tre at­tacks have been seen in the wild, but that’s sure to change now that the de­tails are pub­lic. Trig­ger­ing the at­tacks re­quires hack­ers to have ac­cess to your PC. An an­tivirus suite keeps bad guys off your PC. And as al­ways, only down­load software and apps from rep­utable sources to re­duce the risk of mal­ware in­fec­tion.

WHAT PATCHES ARE AL­READY AVAIL­ABLE?

Mi­crosoft pushed out a Win­dows up­date pro­tect­ing against Melt­down on Jan­uary 3, the day that the CPU ex­ploits hit head­lines. Up­dates is­sued out­side of Mi­crosoft’s monthly “Patch Tues­days” are rare, un­der­lin­ing the sever­ity of this is­sue. Un­for­tu­nately, the emer­gency patch ren­ders some AMD com­put­ers un­bootable ( go.pc­world. com/unbt)— mostly ones with older Sem­pron and Athlon pro­ces­sors, judg­ing by ini­tial re­ports. Mi­crosoft halted the roll-out of the patch on af­fected sys­tems un­til the fix is fixed.

In­tel is also pub­lish­ing firmware up­dates for its pro­ces­sors. You’ll need to snag them from your PC, lap­top, or moth­er­board maker (like HP or Gi­ga­byte) rather than In­tel it­self. By Jan­uary 12, In­tel ex­pects to have re­leased firmware up­dates for 90 per­cent of pro­ces­sors re­leased in the past five years to its part­ners, though it will take longer for PC mak­ers to ac­tu­ally push those fixes out for their de­vices. Firmware up­dates for all CPUS re­leased in the last five years should have rolled out by the end of Jan­uary, at which point In­tel “will then fo­cus on is­su­ing up­dates

for older prod­ucts as pri­or­i­tized by our cus­tomers,” CEO Brian Krzanich said ( go. pc­world.com/brkr).

Warn­ing: The first round of Spec­tre CPU fixes can cause more fre­quent, un­wanted sys­tem re­boots in In­tel CPUS re­leased since 2011 ( go.pc­world.com/unwt). You still want to in­stall them for safety, and In­tel’s work­ing to cor­rect the is­sue.

AMD plans to re­lease firmware up­dates ( go.pc­world.com/amdp) to pro­tect against Spec­tre, with patches for Ryzen, Thread­rip­per, and Epyc CPUS com­ing first, and older ar­chi­tec­tures later. They’re clas­si­fied as op­tional, though, be­cause AMD says its CPU ar­chi­tec­ture has “near-zero” risk against the Spec­tre vari­ant that re­quires a firmware up­date.

Ap­ple qui­etly pro­tected against

Melt­down in macos High Sierra 10.13.2, which re­leased on De­cem­ber 6, as well as in IOS and tvos 11.2. Ker­nel patches are also avail­able for Linux.

Chrome­books re­ceived pro­tec­tion in Chrome OS 63, which re­leased on

De­cem­ber 15. You can find a de­tailed list of how in­di­vid­ual Chrome­books are af­fected here ( go.pc­world.com/chrm). Fur­ther­more, the Chrome web browser it­self was up­dated to in­clude an opt-in ex­per­i­men­tal fea­ture called “site iso­la­tion” ( go.pc­world.com/siso) that can help guard against Spec­tre at­tacks. Site iso­la­tion is trick­ier on mo­bile de­vices; Google warns that it can cre­ate “func­tion­al­ity and per­for­mance is­sues” in An­droid, and since Chrome on IOS is forced to use Ap­ple’s Wk­we­b­view, Spec­tre pro­tec­tions on that plat­form need to come from Ap­ple it­self. Chrome 64 will in­clude more mit­i­ga­tions.

Other browsers are bat­ten­ing down the hatches against Spec­tre as well. Fire­fox 57 ( go.pc­world.com/fi57) came out in Novem­ber with some ini­tial safe­guards, and Edge and In­ter­net Ex­plorer ( go.pc­world. com/edie) re­ceived an up­date along­side Win­dows 10. On Jan­uary 8, Ap­ple pushed out up­dates to IOS 11 ( go.pc­world.com/is11) and macos ( go.pc­world.com/sf11) with “se­cu­rity im­prove­ments to Safari and We­bkit to mit­i­gate the ef­fects of Spec­tre.”

Nvidia swiftly re­leased graph­ics card drivers con­tain­ing ini­tial pro­tec­tion against Spec­tre ( go.pc­world.com/nvdi) as well—a cru­cial fix since GPU dis­play drivers sink deep hooks into your ker­nel. Grab the lat­est Nvidia drivers here ( go.pc­world.com/dr1v).

Check out Pc­world’s guide to pro­tect­ing your PC against Melt­down and Spec­tre ( go. pc­world.com/me1t) if you need more help. Gib­son Re­search’s dead-sim­ple (and free) In­spec­tre tool ( go.pc­world.com/t00l) can let you know in­stan­ta­neously if your PC has the nec­es­sary op­er­at­ing sys­tem and CPU patches in­stalled.

WILL TH­ESE FIXES SLOW DOWN MY PC OR MAC?

It’s com­pli­cated, and highly de­pen­dent on your hard­ware, op­er­at­ing sys­tem, and

work­loads.

More re­cent In­tel pro­ces­sors from the Sky­lake (6th-gen Core 6xxx se­ries) era on­ward have a tech­nol­ogy called PCID (Process-con­text Iden­ti­fiers) en­abled and suf­fer less of a per­for­mance im­pact, ac­cord­ing to Mi­crosoft ( go.pc­world.com/ le55). Your ver­sion of Win­dows makes a dif­fer­ence as well. Plus, some ap­pli­ca­tions—most no­tably vir­tu­al­iza­tion and data cen­ter/cloud work­loads—are af­fected more than oth­ers. In­tel con­firmed that the per­for­mance loss will be de­pen­dent on work­load, and “should not be sig­nif­i­cant” for av­er­age home com­puter users.

Win­dows chief Terry My­er­son says they “don’t ex­pect most users to no­tice a change” on Win­dows 10 sys­tems run­ning In­tel 6th,

7th, or 8th-gen­er­a­tion In­tel pro­ces­sors.

In­tel pub­lished some post-patch bench­mark re­sults ( go.pc­world.com/p0st) on best-case PCS like this on its blog. The tests showed an av­er­age per­for­mance loss of be­tween 2 and 7 per­cent in the SYSMARK 2014 SE bench­mark, which sim­u­lates pro­duc­tiv­ity tasks and me­dia cre­ation. Its re­spon­sive­ness score—which mea­sures ( go. pc­world.com/meas) “‘pain points’ in the user ex­pe­ri­ence when per­form­ing com­mon ac­tiv­i­ties”—plum­meted by a whop­ping 14 per­cent, though. In web ap­pli­ca­tions that use heavy amounts of Javascript, In­tel saw a 7 to 10 per­cent per­for­mance loss post-patch. Th­ese tests were per­formed on SSDe­quipped sys­tems; In­tel re­ports the per­for­mance loss is less no­tice­able if you’re us­ing a tra­di­tional hard drive.

Those are the best-case sce­nar­ios, though.

If you’re run­ning older pro­ces­sors, in­clud­ing 5th-gen Haswell chips, “some bench­marks show more sig­nif­i­cant slow­downs, and we ex­pect that some users will no­tice a de­crease in sys­tem per­for­mance,” Mi­crosoft re­ports. Fi­nally,

Mi­crosoft says for PCS run­ning one of those older In­tel CPUS and the older Win­dows 7 or 8 op­er­at­ing sys­tems, “we ex­pect most users to no­tice a de­crease in sys­tem per­for­mance.” As far as busi­ness use cases, Win­dows Server “shows a more sig­nif­i­cant per­for­mance im­pact when you en­able the mit­i­ga­tions to iso­late un­trusted code within a Win­dows Server in­stance.”

Early con­sumer bench­marks con­ducted us­ing the Win­dows patch alone showed the most per­for­mance im­pact in stor­age speeds, but Mi­crosoft’s My­er­son stresses, “many of the bench­marks pub­lished so far do not in­clude both OS and sil­i­con up­dates,” which he deems a cru­cial part of the per­for­mance puz­zle. In­tel’s bench­marks in­clude both OS and firmware up­dates.

“Ob­vi­ously it de­pends on just ex­actly what you do,” Linux cre­ator Li­nus Tor­valds wrote ( go.pc­world.com/lnus) in the Linux Ker­nel Mail­ing List. “Some loads will hardly be af­fected at all, if they just spend all their time in user space. And if you do a lot of small sys­tem calls, you might see dou­ble-digit slow­down.”

WILL MY GAMES GET SLOWER?

Nope, ac­cord­ing to the limited test­ing per­formed so far, though th­ese sources didn’t test the Melt­down and Spec­tre patches with up­dated CPU firmware.

Phoronix ( go.pc­world.com/phor) tested Dota 2, Counter-strike: Global Of­fen­sive, Deus Ex: Mankind Di­vided, Dawn of War III, F1

2017, and The Ta­los Prin­ci­ple on a Linux 4.15-rc6 ma­chine with a Core i7-8700k and Radeon Vega 64 ( go.pc­world.com/rv64). None saw a frame rate change out­side the mar­gin of er­ror range.

Hard­ware Un­boxed tested a hand­ful of Directx-based Win­dows games in the video linked above. With Directx hook­ing so deeply into Win­dows, gamers were wor­ried about a po­ten­tial per­for­mance degra­da­tion there. For­tu­nately, Hard­ware Un­boxed ob­served vir­tu­ally no frame rate loss in Ashes of the Sin­gu­lar­ity, As­sas­sin’s Creed: Ori­gins, or Bat­tle­field 1. Phew.

The In­tel re­sults cited in the pre­vi­ous sec­tion in­clude both OS and firmware patches. It showed vir­tu­ally no per­for­mance loss in 3Dmark Sky Diver, a pop­u­lar graph­ics bench­mark­ing tool.

ARE AMD PRO­CES­SORS AF­FECTED?

Much, much less than In­tel chips. All mod­ern CPUS are vul­ner­a­ble to Spec­tre at­tacks, but AMD says that its CPUS have “near zero” risk to the vari­ant caus­ing per­for­mance slow­downs in Win­dows PCS due to the way they’re con­structed. Nev­er­the­less, AMD is re­leas­ing CPU firmware up­dates to pro­tect against it, though they’re clas­si­fied as op­tional. Op­er­at­ing sys­tem and software up­dates will pro­tect against the other

Spec­tre vari­ant.

There is “zero AMD vul­ner­a­bil­ity” to Melt­down thanks to chip de­sign, AMD says. If op­er­at­ing sys­tem patches ex­clude AMD CPUS from the new Melt­down­re­lated per­for­mance re­stric­tions—and Linux def­i­nitely is—the per­for­mance war be­tween In­tel’s chips and AMD’S new Ryzen CPUS ( go.pc­world.com/ryzn) may get even tighter.

The emer­gency Win­dows patch ren­dered some AMD PCS un­bootable ( go.pc­world.com/unbo), which prompted Mi­crosoft to halt its in­stal­la­tion on po­ten­tially im­pacted sys­tems. It ap­pears mostly older Sem­pron and Athlon CPUS are af­fected. Mi­crosoft’s new patch, KB4073290, that solves the prob­lem ( go.pc­world.com/ kb40). It will ei­ther de­ploy via Win­dows Up­date or can be man­u­ally down­loaded ( go.pc­world.com/m4nu).

THAT SUCKS! THERE’S NOTH­ING I CAN DO!?

We feel your pain. But se­cu­rity trumps per­for­mance, so we’d rather our PCS be a lit­tle slower than ex­posed to hack­ers.

In­tel’s post-patch per­for­mance re­sults on “best-case” PCS.

In­tel pro­ces­sors have a se­vere ker­nel se­cu­rity flaw.

Macs are af­fected by Melt­down and Spec­tre, too.

Even new In­tel chips like the Core i7-8700k are af­fected by Melt­down and Spec­tre.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.