Intel Meltdown

Hold My Beer

Not to be outdone by Apple’s security trip-ups towards the end of last year, Intel have stepped up to the plate to show upstarts like the aforementioned fruit-based company and their rivals Microsoft and Google, how to do a security screw-up properly.

What is Meltdown?

In summary, Meltdown is the bug that set the Twitter-sphere alight on Tuesday following an embargo lasting a few months to give software manufacturers time to work around the flaw. Put simply, a normal program can read the contents of private kernel memory, meaning that sensitive information such as passwords can be harvested by a locally running application. The flaw is found in a large number of Intel processors – effectively every processor produced since 1995 other than pre-2013 Atoms and the Itanium. AMD processors appear unaffected, although some ARM CPU’s are vulnerable.

Avoiding a Meltdown

For a normal user at a workstation, the advice is simple. Since operating system vendors can work around the problem, ensure your patches are up to date – Apple have already patched MacOS with 10.13.2, Windows Insiders will have received the fix late last year and Windows 10 is due to receive the fix in an out of band patch around now. Older versions of Windows (8 and 7) should get the fix as part of the next Patch Tuesday. In the meantime, users should ensure they are only running trusted programs (good advice anyway.)

The Spectre of something nastier

Following on the heels of the Meltdown bug, like a second Horseman of the Apocalypse, a nastier vulnerability called Spectre has also been published. The Spectre flaw, which affects a wider range of ARM processors and some AMD CPU’s as well as Intel silicon, allows one process to pull data from other processes on the same system, or even its own process (an example given is some nasty JavaScript pulling user data for other sites from the browser’s memory.)

Trust and Isolation

Spectre is going to prove difficult to patch, but is also tricky to exploit, according to the researchers. Again, the advice is to sit tight, install patches and stick to running trusted programs. Chrome or Firefox users should also turn on Site Isolation (there is currently no information on if and when Windows Defender Application Guard will provide similar protection to Edge users.)

Cloudy Problems

While client users should not panic, Cloud providers will be patching frantically since these flaws could theoretically allow one host’s process to look into other virtual machines on the same hardware. This is also where performance issues may be seen. The operating system patches are unlikely to present much if any of a slowdown to an average user, but a process that works storage hard (such as a database server) or makes a lot of calls to the kernel is likely to be noticeably slower. From a purely subjective perspective, I have not noticed any performance problems on the patched Windows and Mac systems to which I have access.

Want to know more?

The Register were the first to break the story and the full whitepapers from the security researchers can be found here. The somewhat alarmist solution from CERT (buy a new CPU) can be found here.

Class action lawyers disappointed at Apple’s rapid defusing of the iPhone battery furore are doubtless rubbing their hands in glee at Intel’s misfortune. For AMD and ARM, it must seem like Christmas 2018 has arrived early.