More About Meltdown and Spectre

 In Cyber Security

It’s been over a month since the Meltdown and Spectre vulnerabilities were reported. These hardware-based issues are among the most challenging that the industry’s had to deal with, and solutions and workarounds are still being developed. Here’s the latest on what’s happening in the effort to address these risks.

Vendor Patches Have Caused Instability

Intel offered a firmware fix for Spectre that led to instability, reboots, and potentially data loss or corruption. As a result, Microsoft released a patch to disable that update. Dell and HP also stopped deploying BIOS updates with the Intel code.

Microsoft’s own initial patches were buggy as well and the company was forced to stop deploying them on AMD devices to avoid an unbootable state.

Linux vendors have issued some patches, but a full fix in Linux will depend on Intel resolving the firmware issues.

Apple has rolled out fixes to both the current MacOS 10.13 version of its operating system as well as the older 10.12 and 10.11 versions. Apple has also provided patches to the iOS 11 mobile operating system. An update to the Safari browser will protect against a JavaScript exploit of Spectre.

Vendor Patches Have Caused Slowness

Even the vendor patches that didn’t cause instability have caused some issues due to slowness. The patches unavoidably limit some features that were implemented to improve performance. The impact is especially noticeable to IO-intensive applications, such as databases. Anecdotal reports in online forums indicate the impact can vary from 10 to 45 percent. Processors that include PCID—Processor Context Identifiers—mitigate this impact. Not all CPUs support this feature, however.

Future Chips Will Include A Hardware Fix

Because these vulnerabilities come from the hardware, a true solution has to come at the hardware level, too.

Intel has said it will ship chips that include a fix for this problem later this year. However, it hasn’t made clear which versions of chips will have the fix, nor has it stated whether the chips will simply have a better-performing version of the microcode patch that’s been distributed or whether there will be a fundamental redesign. Currently, it’s also not known whether Intel’s new chips will address both Meltdown and Spectre or only Meltdown, which is a simpler fix.

AMD chips are vulnerable to only one of the Meltdown and Spectre variants, and the manufacturer has stated it will have a fix in silicon by 2019.

It’s important to recognize that even when a silicon fix is available, it will probably not be retroactive—there’s no expectation that the manufacturers will recall existing chips and replace them with the new ones. The best way to address the ongoing concerns over Meltdown and Spectre is to make sure you apply stable patches as they become available and to ensure that you apply good IT security across your business:

  • train users to recognize phishing attempts
  • require strong passwords and use 2-factor authentication
  • keep antivirus software up-to-date
  • use firewalls, intrusion detection/prevention software, and data loss prevention software

The team of certified security experts at Prescient Solutions can assess your current infrastructure to identify your vulnerabilities and implement a cybersecurity strategy to protect your critical data. Contact us to learn how to keep Meltdown, Spectre, and other cyberthreats from attacking your business.

Recent Posts
/*
*/ Protecting Against Meltdown and Spectreschool cyber security