View All R&D Articles

Patches for Meltdown and Spectre Fix Flaws But Cause Slowdowns

January 16, 2018

intel amd arm windows macos 327x272Intel began the new year with the embarrassing announcement that researchers discovered vulnerabilities built into most of the processors the company has built in the last two decades. The security flaws affect nearly everyone and could allow a hacker to bypass security software to steal passwords and other crucial private data.

Microsoft and Apple rushed patches for their operating systems to address the concern.

Now that operating systems have been updated, researchers are talking more specifically about what the problems were. We know there were two major flaws— Meltdown and Spectre. Meltdown affects only Intel chips, while Spectre affects Intel, ARM, and AMD processors.

The Meltdown flaw could allow a hacker to use a low-privilege program to access files in a computer’s kernel —  the core of an operating system. Essentially, a rogue process (e.g. malware or JavaScript running in web browsers) could access and steal sensitive data like private files, passwords, and crypto-keys.

Spectre exploits a process called speculative execution, which speeds up computer processes by predicting what work needs to be done before it is requested. Hackers could potentially trick programs into reading private data, which modifies the data cache. If the hacker can then access the data cache, he could access that private data.

It’s important to note that these aren’t speculative threats; we’ve already seen several exploit tools on publicly available sites, which we won’t link here for obvious reasons.

The security updates work great, except for one big problem.

The patches for Meltdown and Spectre fix the problem and make the chips safe to use. Unfortunately, these fixes slow down computers. Intel admitted that chip performance would likely slow down by six percent (as much as 14 percent for some tasks).

In a statement, the company said, “the typical home and business PC user should not see significant slowdowns in common tasks such as reading email, writing a document or accessing digital photos.” However, the statement also says that the company will continue searching for solutions where patching causes “significant” slowdowns, admitting that the some will experience a more major impact.

Has anyone actually exploited the Meltdown or Spectre vulnerabilities?

One of the most disturbing aspects to the story is that a successful exploitation of these flaws would leave no trace. That means that security experts don’t know if any hackers discovered and exploited this flaw before security experts fixed it.

We may never know for sure, but there’s good reason to believe it’s possible. Three independent teams discovered and reported Meltdown. Who’s to say a fourth team to didn’t discover it long ago and keep it a secret? After all, the flaw has existed for approximately 20 years, and we know that government organizations (like our NSA) stockpile vulnerabilities without reporting them.

Two teams independently discovered and reported the Spectre flaw. Again, there’s a distinct possibility that another team found it but kept it to themselves.

The chip bugs have a wide-reaching impact.

Just about everyone who owns a modern computing device could be vulnerable to one or both of these bugs. While Meltdown affects only Intel chips, Spectre poses a risk to smartphones, laptops, desktops, and cloud servers.

To protect yourself against Meltdown and Spectre, make sure your operating system is updated. If there is a silver lining to these unfortunate discoveries, it’s the chance to remind the public of the importance of an up-to-date operating system.

To discuss penetration testing (PEN testing) services, call at 1-800-237-4200.