What are Meltdown and Spectre and are you affected?
A guide to the CPU security flaws and their flawed patches
Over the last 20 years, there have been a number of big security threats to worry about, from Heartbleed to the Mirai botnet. The last two years have proved to be no different. Indeed, within just a week of the New Year in 2018, we learned of a serious design flaw present in most processor chips made in the last two decades.
Worryingly, it was reported by experts in cyber security that this could be exploited using techniques known as Spectre and Meltdown, leaving devices vulnerable to hackers, and requiring an operating system patch in order to fix it.
A lot of water has passed under the bridge in the meantime, so for anyone needing to catch up, here's a complete guide to the whole fiasco.
The design flaw
The security vulnerability is a consequence of a design defect that was first found present in all Intel chips produced in the last 20 years (effectively every processor since 1995 except Intel Itanium and Intel Atom before 2013).
The kernel on a computer chip moves data around a chip's various sections of memory in response to what command a user is carrying out. By exploiting the kernel in different ways, Meltdown and Spectre have the potential to allow intruders to get access to data previously thought completely protected.
What exactly are Meltdown and Spectre?
Spectre and Meltdown are the names given to the diverse variants of this same vulnerability. Both include malicious code gaining access to data that is normally protected by the kernel.
Meltdown is so-called as it has the ability to "melt" the restrictions usually set in place at a chip's hardware level that should, in theory at least, protect sectors of the memory. In side-stepping these defences, Meltdown permits attackers or malware to access and pry on data they shouldn't be able to.
Spectre, on the other hand, gets its name from a procedure known as "speculative execution" that is supposed to help computers carry out actions in a non-linear fashion, improving the speed of execution.
For instance, if the program a user is running follows an 'if X, then Y' rule, then if a user chooses to perform X, the chip must then work on carrying out Y. A chip performing speculative execution would start carrying out Y before the user chooses to perform X, to get a headstart on computation. Doing so leaks data that should stay private.
A Spectre attack needs more knowledge of the victim program's inner workings, and doesn't permit access to other programs' data, but will also work on just about any computer processor out there.
The official Spectre website (yes, there is one) states that while Spectre is more difficult to exploit than Meltdown, it is also harder to mitigate. It breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Which systems are affected?
It depends on the attack you're looking at. Meltdown mostly affects Intel processors and at the moment, it is unclear whether AMD processors are also affected. ARM says some of its processors are also affected.
Spectre is much more widespread, however. Almost every system is affected by Spectre, including desktops, laptops, cloud servers, and even smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable, that means all popular operating systems, including Windows, Linux, and macOS are affected.
Am I affected?
Pretty much all chips from all major manufacturers created in the last 20 years are affected by Spectre or Meltdown, or both.
Although Intel was the first to be identified and the first to acknowledge the problem both in private and in public ARM and AMD CPUs are also affected.
All three have issued patches for their components (more information on that below), typically consisting of microcode mitigations. Some of these have been more successful than others and Intel took a number of attempts to issue ones that didn't cause major problems such as causing computers to repeatedly reboot or run extremely slowly.
Consequently, if you're running a computer or servers bought more recently than 1995 and haven't installed the patches issued by the chip manufacturers, your system(s) are almost certainly affected.
In the race to patch the vulnerabilities when they became known at the start of 2018, vendors issued updates that created many issues for users.
Shortly after publishing a fix in January, Microsoft removed the update after a number of AMD-powered PCs failed to boot following the installation of the security patch.
The issue was brought to Microsoft's attention on its customer support blog, with users saying their devices stopped loading the Start menu or taskbar after installing updates pushed to their devices on the 3 and 9 January. It seems computers running Windows 10, Windows 8.1 and Windows 7 were all affected, with some of the machines dating back 10 years.
Intel had a much bigger issue after releasing its CPU bug fixes, however.
After discovering that the Spectre patches impact performance by up to 25% on data centre chips, and 3% to 4% on other systems, the chip giant backtracked and decided to advise customers not to download the patches, due to the reboots and performance hits they were causing.
The firm's executive vice president, Navin Shenoy, recommended that OEMs, cloud service providers, system manufacturers, software vendors, and end-users "stop deployment of current versions on [a] specific platform as they may introduce higher than expected reboots and other unpredictable system behaviour".
This applied to systems powered by Intel's previous generations of chips, including Broadwell, Haswell, Coffee Lake, Kaby Lake, Skylake, and Ivy Bridge families.
In a post on the Linux kernel mailing list, Linux creator Linus Torvalds lambasted Intel for the fiasco, saying the patches "do literally insane things" to the performance of the systems they are installed on.
"They do things that do not make sense," Torvalds declared. "That makes all your arguments questionable and suspicious. The patches do things that are not sane."
He ranted that the patches are "ignoring the much worse issue, namely that the whole hardware interface is literally mis-designed by morons".
In February, however, Intel finally issued a working update for its Skylake chips. It might have arrived three weeks after the original buggy patch release, but the firm said it had successfully developed a number of microcode solutions to protect its customers against the Meltdown and Spectre exploits.
The released updates included fixes for its OEM customers and partners for Kaby Lake and Coffee Lake-based platforms, as well as additional Skylake-based platforms. These included its sixth, seventh and eight-generation Intel Core product lines as well as the latest Intel Core X-series processor family.
The recently announced Intel Xeon Scalable and Intel Xeon D processors for data centre systems are also covered by the patches.
"This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production," Shenoy said in a blog post. "On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process."
It's still not clear if Intel has successfully patched its fourth and fifth generation Haswell and Broadwell CPUs yet, however.
Can I patch?
Users concerned about the impact of Spectre and Meltdown are advised to keep in-tune with regular patch releases from device manufacturers as and when they are released while hoping they don't cause too much of an unintended consequence to the performance of the machines.
Microsoft recently disabled its Spectre patch, for instance, saying the performance impact was too great compared to the low risk of a user launching a Spectre attack on someone's device. However, if you're a large enterprise likely to be a lucrative target for malicious actors, failing to patch Spectre is not an option.
Torvalds' outburst was also directed at the fact that Intel's plan to bypass its patches' hits on performance was to make the Meltdown fix optional, so shipping faulty hardware that users would then have to patch themselves.
However, at the start of February Intel issued a fresh patch for devices running its Skylake-based Core or Core M processors that it claimed wouldn't introduce any untoward side effects. A similarly effective patch for Haswell and Broadwell-running PCs is still in the works, but Intel has also introduced patches for its Kaby Lake, Coffee Lake, sixth, seventh and eighth-generation Intel Core i and Core X series.
In April, however, Intel deemed some of its affected CPUs too tough to patch. The chip manufacturer released a revision notice listing 16 microcode updates as "stopped", meaning that while patches had previously been released they were no longer being rolled out.
The reasons Intel gave vary from the sheer difficulty in patching a chip due to its design to the fact some are powering 'closed systems', with the company leaving it up to its hardware partners to issue BIOS updates themselves.
Later that month, AMD finally released a number of updates to help protect systems against Spectre vulnerabilities found in its chips, months after they were first disclosed to the public in early 2018.
According to a team of Google researchers, Spectre vulnerabilities present in many of today's processors cannot be completely mitigated by applying software fixes, as has been assumed.
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now