The three biggest CPU manufacturers, Intel, AMD and ARM recently announced flaws with many of their older chips. The biggest discovery was Meltdown (primarily Intel), but all three have issues with Spectre.
The issues are created due to a recently discovered memory leak, known by such names as KPTI, KAISER and F**CKWIT.
All processors use some kind of strategy to optimize performance. One strategy is to find ways to optimally use the memory on your device. Suffice to say that the processors rely on speculating how memory will be best allocated, and therefor potentially exposes (leaks) what’s in that memory (which could be passwords, credentials, data) to malware running on that device. Here's a decent summary article from our security partners at Sophos.
The two primary attacks are known as “Meltdown” (aimed more at Intel processors) and “Spectre” (which adds AMD and ARM to the mix).
Trust me, it’s complicated. Here’s a decent article about it. And it’s built into the hardware. So, if the chip has the vulnerability, it’s not going to be fixed. Period. And if your CPU is more than 6 months old, odds are it has the vulnerability. Again, Intel processors are pretty aggressive using this technology, so they’re more vulnerable to these (Meltdown in particular).
What’s the fix for Meltdown and Spectre?
Well, the only real option is to stop using that function. Which is why Microsoft, Linux and Apple have released patches to their respective Operating Systems.
The patch is designed to prevent the machine from utilizing the form of memory optimization, thereby closing the vulnerability.
Unfortunately, that means that your system will be deprived of a method used to improve performance. Intel originally announced that these patches wouldn’t impact performance, but is now seeming to backtrack on that statement. Microsoft announced yesterday that patched machines will indeed see a performance hit. That makes sense. An article published today quotes MS and Intel at saying there’s a hit of between 2-14%, depending on the tasks. Click here for that article.
So, what should you do?
Well, vendors are releasing patches to fix the problem. It doesn’t help that Microsoft pulled their patches yesterday due to it turning some AMD-based systems unbootable (click here for that). To be honest we haven’t actually seen any active exploit from either Meltdown or Spectre yet.
But you know it’s coming. So although I’d be a little hesitant to patch workstations immediately, I’d give serious consideration within the next week or so.
What about servers?
As to servers, I’d give a little more delay until we hear more about what kind of performance hit the patch will create.
Also, patching alone won’t fix the servers completely. You’ll have to also:
- Apply the MS patches
- Make changes to the registry
- Apply firmware updates (if available)
Click here for further instructions from Microsoft.
To our customers:
To our SiMS customers, we’ll be communicating more directly with you about our patching strategy and schedule later this week.
To our everybody else:
Got questions? Email us at Info@Simplex-IT.com and we'll try to help.