Melt­down and Spec­tre; sec­ond-gen Ryzen; NZXT mo­bos; more.

The big­gest bug in years will last for years, too


JUST AF­TER the hol­i­days, Google’s se­cu­rity peo­ple, the Project Zero Group, along with a hand­ful of other se­cu­rity re­search groups, let slip that they had found a po­ten­tially nasty se­cu­rity hole in just about ev­ery mod­ern pro­ces­sor. News spread quickly, and such was the po­ten­tial scale of the flaw that the main­stream press took up the story, and did the so­cially re­spon­si­ble thing of fright­en­ing every­body by telling them that their sen­si­tive data was at risk.

The breaches quickly earned them­selves names— Melt­down and Spec­tre—and lo­gos. Both ex­ploit loop­holes in a chip’s spec­u­la­tive ex­e­cu­tion pro­ce­dure, a per­for­mance­boost­ing sys­tem where the pro­ces­sor makes an ed­u­cated pre­dic­tion about im­mi­nent pro­ce­dures, and puts any unused cy­cles to work on them. To make this ef­fi­cient, spec­u­la­tive ex­e­cu­tion func­tions can be granted a full back­stage pass; they can get at oth­er­wise pro­tected mem­ory.

Melt­down pri­mar­ily af­fects In­tel and some ARM chips, and can en­able ma­li­cious code to break the iso­la­tion be­tween ap­pli­ca­tion and OS, po­ten­tially leav­ing the ker­nel ex­posed. Spec­tre af­fects an even wider range of pro­ces­sors—just about ev­ery high-per­for­mance chip go­ing. It works in a less direct way, but can also trick a sys­tem into hand­ing over se­crets. Be­cause both ex­ploit hard­ware bugs, they are dif­fi­cult to patch and al­most ubiq­ui­tous.

Se­cu­rity scares are noth­ing new. Gen­er­ally, a se­cu­rity com­pany will find a hole some­where, qui­etly tell the OS boys, and when patches are ready, an­nounce it to the world. The more po­ten­tially nasty the breach, the bet­ter the se­cu­rity com­pany sounds, and the stronger the push to­ward patch­ing and up­dat­ing sys­tems there is, so there is a ten­dency to­ward ex­ag­ger­a­tion. Pretty soon, nearly every­body has patched and fixed, and it tran­spires it wasn’t re­ally as bad as first re­ported, and life goes on as be­fore.

Th­ese two trou­ble­mak­ers aren’t your av­er­age buf­fer over­run flaws. Al­though first dis­cov­ered last sum­mer, the an­nounce­ment still ap­peared to catch the in­dus­try by sur­prise. Mi­crosoft and In­tel both put out emer­gency patches, which proved flawed them­selves. Mi­crosoft is­sued six Win 10 patches in Jan­uary alone. Some proved in­com­pat­i­ble with third-party AV soft­ware, and oth­ers stopped some AMD ma­chines from boot­ing. The fixes also cause sys­tems to slow down, from in­signif­i­cant amounts to the point where Mi­crosoft ad­mits that “some users may no­tice a de­crease in per­for­mance.”

In­tel’s at­tempts at a patch were worse. It has ad­vised that peo­ple don’t now use its ini­tial firmware patch, be­cause it’s un­sta­ble, and causes re­boots in Haswell and Broad­well ma­chines. Mi­crosoft went as far as to is­sue a patch that dis­abled In­tel’s “fix.” We cur­rently await a sta­ble firmware patch. There are signs that the in­dus­try did what it al­ways ad­vises us to avoid: panic.

Things are calmer now. w. You know the drill: Update your browser and OS if it hasn’t asn’t been done au­to­mat­i­cally. cally. Both vul­ner­a­bil­i­ties still re­quire you to run ma­li­cious cious code on your sys­tem, and d are read-only. There have been no at­tacks in the wild us­ing ei­ther vul­ner­a­bil­ity yet. In fact, the only dam­age done so far has been from the buggy patches.

Melt­down and Spec­tre can fish out pass­words and en­crypted keys from your sys­tem, and since the root cause is buried deep in the hard­ware, they are go­ing to be around for years to come, as ditch­ing the cul­pa­ble pro­ces­sors is hardly prac­ti­cal. We’ll have to live with th­ese two lit­tle men­aces.

The long-term ef­fect will be a per­for­mance hit, as spec­u­la­tive ex­e­cu­tion on the bugged pro­ces­sors can no longer be al­lowed free rein to work as it should. Every­body is go­ing to lose a lit­tle here, and some I/O in­ten­sive tasks will take a dou­ble fig­ure per­cent­age drop, servers in par­tic­u­lar. That’s the real legacy here. Rats. The first round of patches should make things safe—let’s hope that fu­ture patches can claw back some per­for­mance.

There are signs that the in­dus­try did what it al­ways ad­vises us to avoid: panic.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.