We’re nearly a month since The Register first revealed that every single major processor in devices today is subject to a series of harrowing security vulnerabilities known as Spectre and Meltdown. Today, in light of news that Intel informed foreign interests of the vulnerabilities before the US government, and that Microsoft is pulling its latest patch from Intel due to some heinous bugs, we thought we’d revisit the saga and what you can (and cannot) do to protect your data.
The saga up until today…
On January 2nd, The Register revealed that Intel CPUs were subject to serious security vulnerabilities and that the causes of those vulnerabilities were rooted in features of the CPUs that were fundamental to their performance. It quickly became clear that Intel wasn’t the only CPU maker in trouble. Every modern CPU uses the same technique to improve speed and was thus vulnerable to Spectre. That means your iPhone, or your AMD laptop, or the cloud server that Google stores your Gmail on. Intel is particularly vulnerable because of its ubiquity. Its CPUs are found in most major laptops and desktops, and it has 99 percent of the server marketshare, according to Vijay Rakesh, a securities analyst at Mizuho Securities, in a conversation with CNBC. That means nearly every single server that hosts your data in the cloud is powered by Intel.
In the wake of the Spectre and Meltdown attacks that use the speculative execution behavior of modern processors to leak sensitive information, Intel released a microcode update that offers operating systems additional controls over the processor’s ability to predict branches. When paired with corresponding operating system changes, the extra controls can prevent the unwanted information disclosure.
Unfortunately, Intel discovered earlier this month that the microcode updates are causing machines to reboot. Initially this was confirmed to be the case for Haswell and Broadwell chips; Intel later confirmed that it also applied to Sandy Bridge, Ivy Bridge, Skylake and Kaby Lake parts. Intel’s advice was to stop deploying the microcode. A week ago the company said that it had isolated the root cause of reboots, at least for Haswell and Broadwell processors, and that it would soon begin testing a new version.
Microsoft’s initial Windows patches would detect the presence of the updated microcode and use the additional controls if they were available. The new Windows update modifies the operating system so that it won’t use the microcode’s new features, even if they’re detected. Microsoft has also documented registry keys that can be used to selectively enable or disable the protections, for sensitive systems or test environments. By avoiding the new microcode features, Microsoft has found that the system instability is also avoided.
The update is currently offered only as an out-of-band update that must be manually downloaded and installed, and it has no effect other than to disable the use of this particular Spectre mitigation.
For now, you’ll have to remain particularly diligent about abiding by best security practices. Don’t click on suspicious links or install software that hasn’t been safely sourced. If you do implement updates from your computer maker or operating system provider, be forewarned that it could slow down your computer or lead to sporadic reboots. Continue to update cautiously and wait for those eventual CPUs that will be completely Spectre- and Meltdown-proof.
Whether the vulnerabilities in Intel’s chips were used by foreign agents to spy on US citizens months ahead of the US government’s awareness of the vulnerability remains to be seen. It’s been a week since Intel announced any significant stride in repairing the bugs to its patches and releasing new fixes, so we’re still, unfortunately, in the very early days of this problem.