Meltdown and Spectre CPU Security Attacks Haunt the Chip Industry -- Tech Giants like Apple, Google, Microsoft, Linux, Amazon in Action
In a massive revelation by Google’s Project Zero team this week, major design fault has been detected in Intel chips.
What action is Intel taking to protect against the flaws?
Intel claims to have developed and is issuing updates for all types of Intel-based machines that will “render those systems immune from both exploits (referred to as ‘Spectre’ and ‘Meltdown’)”, reported by Google Project Zero. “Intel has already issued updates for the majority of processor products introduced within the past five years,” says an Intel spokesperson. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years”. Intel’s comment of “immune” raises further speculation among industry leaders. The New York Times reported yesterday that Spectre fixes will be a lot more complicated as they require a redesign of the processor and hardware changes, and that we could be living with the threat of a Spectre attack for years to come. Intel’s statement appears to suggest that this isn’t the case for its own processors and security fixes.
Intel, AMD and ARM chips affected
The attacks paralyse hardware produced by top chip manufacturers like Intel, AMD (Advanced Micro Devices), and SoftBank-owned chip designer ARM Holdings. The first attack, dubbed “Meltdown,” is specific to Intel chips and allows hackers to circumvent the isolation barrier between user applications and operating systems, thereby opening up access to otherwise restricted machine memory. The second problem, “Spectre,” which is harder to exploit but has no available patches, lets hackers extract confidential information out of the memory of devices running Intel, AMD, and ARM chips.
What actions being taken by industry leaders?
Big tech companies, including Microsoft and Apple, are having tough time to address these threats by developing fixes for their software while cloud computing giants, like Amazon and Google, have been rushing to apply patches to their data center infrastructure.
Google stated that Android phones with the most recent security updates are protected, and users of web services like Gmail are also safe. Chromebook users on older versions will need to install an update as it is ready. Chrome web browser users are expected to receive a patch update on January 23, 2018.
Microsoft released an emergency Meltdown patch for Windows 10 on January 4, 2018, it will subsequently be applied to Windows 7 and 8 machines, alongside software updates for Firefox and an update coming to Chrome later this month.
Apple has not yet commented publicly on the bugs, but AppleInsider reports that Apple has already deployed a partial fix for the security bug in macOS 10.13.2. More changes are expected to come with 10.13.3 soon. Security updates are also under processing for Apple laptops and desktops, though it is not clear whether iPhones and iPads are vulnerable.
Cloud services for businesses, including Amazon Web Services and Google Cloud Platform, state they have already patched most services, and will fix the rest soon.
Most of the latest CPUs don’t seem to be reporting any performance issues on the Windows side, but lot of questions being raised about Linux - based computers and virtual environments used for cloud computing. After Intel’s response yesterday, some Linux administrators are reporting performance impacts.
What do researchers predict?
The unforeseen news about Meltdown and Spectre comes at a time when the industry is gearing up for CES, the mega Consumer Electronics Show, in Las Vegas (January 9 - 12).
Many participants will be wondering how the new products on display will be impacted by the bugs, and marketing materials detailing speed increases will likely have to be revised.
Experts also think that since Meltdown and Spectre reveal fundamental flaws in how computer chips are designed, there will have to be serious iterative thought process about how such technology including designing of operating system and CPUs are made in the future.
While the industry continues to patch both of the Meltdown and Spectre bugs, there has been a lot of discussion about possible system slow downs. “Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the regular computer user, it should not be significant and will be mitigated over time,” says Intel. “While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact”. It’s still early in the process to get a better overview of the impact, but if 90 percent of processor products are patched by the end of next week we’ll have a better idea on the legitimate issues that could arise from these kernel changes. Until then Intel and other chip makers will definitely continue to work with partners and others to address these issues.