Meltdown and Spectre computer bugs – what they are and what you need to do.

2018 did not start off well for Intel. As businesses were getting back into the swing of things after the New Year opened, UK tech news site “The Register” broke the news on January 2nd about a serious security flaw in Intel processors that goes back more than two decades and one that would allow hackers (and not necessarily sophisticated ones – script kiddies too) to steal sensitive data (passwords, login cookies etc.) off any computer running Intel processors by using straightforward JavaScript in a compromised web page or rogue ad. On the positive side, while being easy to exploit, Meltdown is also relatively easy to patch.

However things got worse fairly quickly when another flaw was disclosed (aptly named Spectre for the probably more lingering and haunting effects) affected not just Intel processors but also AMD, ARM and Apple and more recently Qualcomm and IBM CPU cores were added to the list meaning that practically all computers and devices out there are at risk, except possibly the Raspberry Pi. Though Spectre is thankfully harder to exploit, it is also considerably harder than Meltdown to patch.

Google and the Mozilla Foundation were quick to suggest using previously-obscure security settings for Chrome and Firefox respectively to help minimize possible exploitation. A fix from OS suppliers for Linux, Windows, MacOS was also required, not just for desktops, laptops and servers but any devices including mobile phones and tablets running these operating systems or variants of them.

Microsoft accelerated an update for Windows 10 rolling it out between January 4th and 5th ahead of their usual patch Tuesday updates which were not due until January 9th. Windows Server updates arrived on the scheduled patch Tuesday date.

Linux OS suppliers were also fairly quick to provide kernel patches and Apple released an update for iOS to 11.2.2 and MacOS 10.13.2 on January 8th. They also released patches for Apple TV.

The January 4th Windows patches hit setbacks when conflicts were discovered with several popular antivirus products leading to the dreaded blue screen of death, so Microsoft stopped releasing updates for machines running these antivirus programs. The solution would be to make sure you’re using a compatible antivirus system. In some cases even if compatible it was necessary to uninstall the antivirus software, apply the Windows updates and then reinstall the antivirus software.

Furthermore, recently Microsoft Windows updates totally incapacitated some desktops using certain AMD processors and Microsoft has stopped rolling out updates for these until the issue is resolved. They blamed AMD for inaccurate documentation. Let the finger pointing begin. There are a lot of players and no one really wants to be taking all the blame.

All this also came at an unfortunate time with CES 2018 in full swing, and Intel is desperately trying to steer the conversation away from its flawed CPUs. The fact that CEO Brian Krzanich decided to sell all the Intel stock he was allowed to under the terms of his contract (translating to US$24 million) back in December raised more than a few eyebrows in the wake of the disclosure of the flaws, and also spawned some interesting web memes. One appeared soon after referencing “Intel Insider Trading” a jab at the “Intel Inside” campaign the company used for many years. Far from a laughing matter though, U.S. lawmakers are now calling for an investigation into the Intel CEO’s actions, especially considering their timing.

So why will Meltdown and Spectre be haunting everyone for a while? Aside from the obvious update hassles there is also lingering impact.

The impact of Meltdown

While Meltdown affects Intel processors primarily and can be addressed with an OS update, patching doesn’t come without setbacks, primarily related to performance. Newer processors will feel less of a performance hit but processors released before 2015 have been harder hit with figures of 30% slowdown being reported. This is due to the nature of the necessary patches. In simple terms, Meltdown was caused by shortcuts taken to speed up processors but which also came at the expense of security which seems to have been more of an afterthought rather than a core focus, and now everyone is paying the price. These shortcuts are now being avoided through OS patches which means that the additional processing required slows things down and the older the processor the bigger the slowdown.

Cloud providers such as Amazon, Google, Microsoft and IBM have all been affected by a general slowdown in cloud server performance meaning that while maintaining the same resources, outsourced IT infrastructure will be slower, websites will be slower and devices in general will be slower. Many mobile apps rely on cloud infrastructure also, meaning that they will be slower too. The fix is to increase resources but that comes at additional cost across the board. Furthermore the initial OS patches were sledgehammer solutions that sought to quickly fix the problem, and were not optimized to minimize performance impact. It is likely that over the next few weeks to months we will see additional refinements to the patches that will seek to address and minimize the performance hit.

As soon as the news was available, at CaribMedia we were busy working with our cloud and dedicated server providers to implement the necessary Meltdown patches to all servers, and this was completed between Thursday January 4th and Saturday January 8th. It is quite likely that as firmware updates are released to hardware, additional patches and possibly reboots will be required.

Spectre will continue to haunt us well into the future

Spectre is a different animal. It cannot be addressed by updates to the operating system. Each computer or device manufacturer will need to release firmware /BIOS and possibly hardware updates. Not only that, but each different product range and type of computer/laptop and device will likely require different types of updates. For this reason all manufacturers are currently scrambling to code the necessary updates based on information from Intel, AMD, ARM, Qualcomm, IBM etc. and they are nowhere near ready. Suppliers such as Dell, HP, Acer and Intel themselves have made announcements outlining the planned release schedule for their products. Others such as smaller niche manufacturers (e.g. gaming machines) are yet to comment at time of writing.

So what should businesses do to protect themselves?

Against Meltdown:

1. Stay informed! The first thing we did was to get as much information as possible. One of our suppliers, Cybereason, had a very good webinar on January 5th on the Meltdown and Spectre bugs which we made it a point to attend. A recording is available and we recommend it to anyone interested in learning more.

2. With Meltdown anyone who has computers in their office that are used for browsing are at risk. Make sure the operating systems on these computers are up to date and be vigilant about updates over the next weeks and months. If you’re still running older operating systems such as Windows XP, you have a whole load of other things to worry about.

3. If you’re using Chrome as your browser, enable strict site isolation now, since a Meltdown Chrome update will not be available until later in January, and if you’re using FireFox you should enable first party isolation which does a similar job. If you’re using an older version of Internet Explorer, there’s never been a better time to upgrade than now!

4. Office servers should also be patched with OS updates as they are released.

5. Smartphone devices should all be updated to the latest OS versions. Again performance may take a hit on older phone models but better that than your email passwords and other sensitive information such as stored credit card date being there for the taking.

Against Spectre

For Spectre patches, you will need to check your computer manufacturer’s website for firmware updates and make sure these are applied once available. Many Spectre patches are not yet available so it is important to check back regularly according to the expected release timeframes indicated by each manufacturer.

Useful manufacturer links:
HP announcement and support
Dell announcement and support
Acer announcement
Apple announcement on security updates
Android information

Other useful resources

List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates