Security Bits Special – Spectre and Meltdown Update

We felt it was a good idea to bring everyone up to speed on what we know a week later about Spectre and Meltdown instead of waiting for our regularly scheduled Security Bits.

• We now know we need to keep an eye out for three distinct kinds of updates:
  • OS updates — most major OSes are now patched:
    • Windows 7, Windows 8 & Windows 10 have been patched
      • Microsoft have withdrawn the patch for computers with certain AMD CPUs because of BSODs (arstechnica.com/…). Microsoft are placing the blame for this squarely on AMD:
        “After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown”
    • MacOS High Sierra
    • Linux
    • iOS 11
    • Android (if you can get the patch via the possibly long route between Google and your devices)
    • ChromeOS
  • Browser Updates — all the major browsers are patched, or, patches are on the way
    • IE & Edge
    • FireFox
    • Google Chrome (due this month)
    • Safari
      • Desktop version updated in macOS High Sierra 10.13.2 Supplemental Update (www.macobserver.com/…) and Safari 11.0.2 for OS X El Capitan & macOS Sierra (support.apple.com/…)
      • Mobile version updated in iOS 11.2.2 — www.macobserver.com/…
  • CPU Microcode updates (think of them as firmware updates for your CPU) — on the way
    • These will arrive as firmware updates from your motherboard/computer vendor
    • Whether or not you get an update will depend on the kind of CPU you have, and how new it is
    • Both Intel & AMD are working on microcode updates
• The performance effects are even more variable than we thought last time
  • As we knew last time, the type of things you do on your computer will have a big effect on how much of a slowdown you experience
    • The performance impacts are hitting some cloud providers particularly hard, but there are some exceptions, e.g. Google say they implemented fixes to their cloud services over the last few months with no noticeable performance hit (www.reuters.com/…)
  • Age, make and model of CPU play a really big role in how badly affected you’ll be
    • Numbers from Microsoft show that CPUs from 2015 and older will be much more significantly hit than newer CPUs — cloudblogs.microsoft.com/…
  • There is a silver lining, modern OSes will be able to re-gain a significant amount of performance when the up-coming microcode updates make their way out.
  • OS vendors are focusing on their newer OSes when it comes to adding OS support for the new features coming in the microcode updates, so, as time goes on, your choice of OS will become even more important a factor — e.g. Windows 7 & Windows 8 are not being updated to take advantages of some of the new CPU features, but Windows 10 is.

Links

• Good Summaries
  • A good break-down of what each of the major vendors is doing to address these bugs — arstechnica.com/…
  • Here’s how, and why, the Spectre and Meltdown patches will hurt performance — arstechnica.com/…
  • Meltdown and Spectre: What Apple Users Need to Know — www.intego.com/…
• Suggested Reading
  • A great human-friendly explanation of how Meltdown works using a fast food restaurant as an analogy — dev.to/…
  • Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time — www.wired.com/…
• Propellor Beanie Territory
  • A fantastic, but technical, description of how Apple’s WebKit (the engine that powers Safari) was vulnerable to Specre, how they changed it to mitigate that vulnerability, and how they managed to do that with only minimal performance loss — webkit.org/…

A Palette Cleanser

• A tweet showing anti-malware someone left for their parents: twitter.com/…