Meltdown and Spectre; second-gen Ryzen; NZXT mobos; more.
The biggest bug in years will last for years, too
JUST AFTER the holidays, Google’s security people, the Project Zero Group, along with a handful of other security research groups, let slip that they had found a potentially nasty security hole in just about every modern processor. News spread quickly, and such was the potential scale of the flaw that the mainstream press took up the story, and did the socially responsible thing of frightening everybody by telling them that their sensitive data was at risk.
The breaches quickly earned themselves names— Meltdown and Spectre—and logos. Both exploit loopholes in a chip’s speculative execution procedure, a performanceboosting system where the processor makes an educated prediction about imminent procedures, and puts any unused cycles to work on them. To make this efficient, speculative execution functions can be granted a full backstage pass; they can get at otherwise protected memory.
Meltdown primarily affects Intel and some ARM chips, and can enable malicious code to break the isolation between application and OS, potentially leaving the kernel exposed. Spectre affects an even wider range of processors—just about every high-performance chip going. It works in a less direct way, but can also trick a system into handing over secrets. Because both exploit hardware bugs, they are difficult to patch and almost ubiquitous.
Security scares are nothing new. Generally, a security company will find a hole somewhere, quietly tell the OS boys, and when patches are ready, announce it to the world. The more potentially nasty the breach, the better the security company sounds, and the stronger the push toward patching and updating systems there is, so there is a tendency toward exaggeration. Pretty soon, nearly everybody has patched and fixed, and it transpires it wasn’t really as bad as first reported, and life goes on as before.
These two troublemakers aren’t your average buffer overrun flaws. Although first discovered last summer, the announcement still appeared to catch the industry by surprise. Microsoft and Intel both put out emergency patches, which proved flawed themselves. Microsoft issued six Win 10 patches in January alone. Some proved incompatible with third-party AV software, and others stopped some AMD machines from booting. The fixes also cause systems to slow down, from insignificant amounts to the point where Microsoft admits that “some users may notice a decrease in performance.”
Intel’s attempts at a patch were worse. It has advised that people don’t now use its initial firmware patch, because it’s unstable, and causes reboots in Haswell and Broadwell machines. Microsoft went as far as to issue a patch that disabled Intel’s “fix.” We currently await a stable firmware patch. There are signs that the industry did what it always advises us to avoid: panic.
Things are calmer now. w. You know the drill: Update your browser and OS if it hasn’t asn’t been done automatically. cally. Both vulnerabilities still require you to run malicious cious code on your system, and d are read-only. There have been no attacks in the wild using either vulnerability yet. In fact, the only damage done so far has been from the buggy patches.
Meltdown and Spectre can fish out passwords and encrypted keys from your system, and since the root cause is buried deep in the hardware, they are going to be around for years to come, as ditching the culpable processors is hardly practical. We’ll have to live with these two little menaces.
The long-term effect will be a performance hit, as speculative execution on the bugged processors can no longer be allowed free rein to work as it should. Everybody is going to lose a little here, and some I/O intensive tasks will take a double figure percentage drop, servers in particular. That’s the real legacy here. Rats. The first round of patches should make things safe—let’s hope that future patches can claw back some performance.
There are signs that the industry did what it always advises us to avoid: panic.