Meltdown: the latest news on two major CPU security bugs

Microsoft and Google are jointly disclosing a new CPU security vulnerability that’s similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says “these mitigations are also applicable to variant 4 and available for consumers to use today.”

However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts.

Intel updated its patching guidance for Spectre this week, continuing the months-long process of fixing the critical security flaw. Although the company had previously said it planned to patch all affected chips, today it clarified that some product lines won’t receive updates. Most are older and, presumably, not as widely used. They include: the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.

Intel says it’s stopped production of these fixes for three reasons, in its words:

Microsoft is introducing a new bug bounty reward for the “speculative execution” CPU vulnerabilities that were disclosed recently. The software giant is offering up to $250,000 for bugs that are similar to the Meltdown and Spectre CPU flaws. Microsoft’s bounty will run until the end of the year, and it’s clearly designed to discover additional flaws as researchers begin to look at these types of vulnerabilities in processor designs.

“Speculative execution is truly a new class of vulnerabilities,” says Phillip Misner, a security group manager at Microsoft. “We expect that research is already underway exploring new attack methods.” Microsoft wants to encourage security researchers to responsibly disclose any potential CPU flaws, and up to $250,000 is probably a good way to achieve that. Microsoft also offers up to $250,000 for serious Hyper-V flaws in Windows 10.

Intel is revealing today that the company is introducing hardware protections against the Spectre CPU flaw that was discovered last year. While the Meltdown vulnerability will continue to be addressed through software updates, Intel CEO Brian Krzanich says the company has “redesigned parts of the processor to introduce new levels of protection through partitioning” that will protect against the Spectre variants. Intel’s next-generation Xeon processors (Cascade Lake) will include the new partitioning, alongside 8th generation Intel Core processors that ship in the second half of 2018.

The partitioning will work as an extra protective wall between regular applications and the user privilege levels to deter vulnerabilities like Spectre. Existing Intel processor owners without the new CPUs will have to continue to rely on firmware updates for Spectre protection, which also include potential performance impacts. That doesn’t appear to be the case for Intel’s future products. “As we bring these new products to market, ensuring that they deliver the performance improvements people expect from us is critical,” says Krzanich. “Our goal is to offer not only the best performance, but also the best secure performance.”

Microsoft is planning to distribute Intel’s firmware updates to protect Windows 10 systems against the Spectre CPU vulnerability. While Microsoft typically distributes its own firmware updates for Surface devices, the software maker usually leaves it up to PC makers to issue their own firmware updates. Microsoft is now planning to list the Intel firmware updates in its Microsoft Update Catalog, which will help IT admins distribute these to systems.

Updates for Skylake systems will be available initially, and Microsoft says it will list more system firmware updates as they become available. “We will continue to work with chipset and device makers as they offer more vulnerability mitigations,” says John Cable, from Microsoft’s Windows Servicing and Delivery team. While Microsoft isn’t committing to automatically pushing these firmware updates to the company’s Windows Update system, even listing them in the company’s Update Catalog is a step further than usual.

Intel didn’t provide US government officials with details on the Meltdown and Spectre CPU flaws until they leaked to the public last month. Reuters reports that US government officials have raised concerns that the flaws weren’t disclosed privately as they could have impacted national security. Intel didn’t report the flaws to US authorities because hackers hadn’t exploited the vulnerabilities yet. The Wall Street Journal previously reported that Intel notified a small number of customers about the flaws, including Chinese companies like Lenovo and Alibaba, before they were revealed publicly.

The approach may explain some of the confusion around Meltdown and Spectre as the flaws first came to light in a report from The Register in early January. Intel, Google Project Zero, Microsoft, and others were forced to disclose the vulnerabilities a day after The Register’s report, and initial statements from both AMD and Intel were confusing and misleading. Intel hadn’t informed the United States Computer Emergency Readiness Team (US-CERT), so there was no full warning about the security problems. Instead, CERT initially advised people to “fully remove” the flaws by replacing processors, but later revised its warning to simply patch systems.

Intel is attempting to patch Spectre again today with the rollout of patches for Kaby Lake-, Coffee Lake-, and Skylake-based platforms. The updates will cover the company’s sixth, seventh, and eighth-generation Intel Core product lines, as well as the X-series processor family. The Xeon Scalable and Intel Xeon D processors for data center systems will also be protected. The updates will be issued through OEM firmware pushes.

Intel previously issued a patch to address Spectre, but then had to tell users to stop deploying the fix because it sometimes caused computers to spontaneously reboot. At the time, executive vice president Navin Shenoy recommended users skip the patches until a better version could be deployed, which appears to be the fix announced today. Shenoy writes that this new patch has been extensively tested.

Intel has revealed today that the company is facing at least 32 lawsuits over the Meltdown and Spectre CPU flaws. “As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed,” says Intel in an SEC filing today. The customer class action lawsuits are “seeking monetary damages and equitable relief,” while the securities lawsuits “allege that Intel and certain officers violated securities laws by making statements about Intel’s products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities.”

Intel is also facing action from three shareholders who have each filed shareholder derivative actions that allege certain board members and officers at Intel have failed “to take action in relation to alleged insider trading.” These filings appear to be related to the concerns that have been raised over Intel CEO Brian Krzanich’s stock sales.

Microsoft has been forced to issue a second out-of-band security update this month, to deal with the issues around Intel’s Spectre firmware updates. Intel warned last week that its own security updates have been buggy, causing some systems to spontaneously reboot. Intel then buried a warning in its latest financial results that its buggy firmware updates could lead to “data loss or corruption.”

Intel has been advising PC makers and customers to simply stop updating their firmware right now, until properly tested updates are available. Microsoft has gone a step further, and is issuing a new software update for Windows 7, Windows 8.1, and Windows 10 systems to disable protection against Spectre variant 2. Microsoft says its own testing has found that this update prevents the reboots that have been occurring.

Apple has rolled out a new security update to protect older operating systems against the Meltdown bug, the most easily exploitable of the processor vulnerabilities made public earlier this year. Patches for macOS High Sierra were released on January 8th, but the patch did not apply to older versions of the operating system. Today’s update brings the same protections to Sierra (version 10.12.6) and El Capitan (version 10.11.6).

It’s the latest in a string of patches Apple has released in response to the industry-wide processor failures. The company also developed patches to Safari and WebKit to protect against a separate exploitation of the Spectre vulnerability. It’s still unclear whether Apple plans any updates to its A-series processors, which would likely be the most difficult patch to develop and deploy.

Linux inventor Linus Torvalds has never been one for diplomacy. He previously said “fuck you” to Nvidia for not supporting Linux, and now Intel has angered him enough to generate some more expletives. In a message to the Linux kernel mailing list on the weekend, Torvalds has expressed his dismay at Intel’s security updates to protect against the major Spectre variant 2 CPU vulnerability. The industry has been scrambling to fix the Meltdown and Spectre vulnerabilities, and the variant 2 of Spectre has been particularly challenging.

“What the f*ck is going on?” asks Torvalds, claiming that Intel is doing “insane things” that “do not make sense” to protect against the Spectre variant 2 vulnerability. “As it is, the patches are COMPLETE AND UTTER GARBAGE,” claims Torvalds. At the heart of the issue is Intel’s approach to Spectre and the associated fixes. The Register points out that Intel’s future processors, at least for a few years, will ship vulnerable to Spectre and will include a flag that can be set in software so operating systems can protect against the vulnerabilities. Intel is essentially treating protection against Spectre as an optional feature, rather than a security bug that should be addressed.

Intel has a patching problem. All last week, users reported computers spontaneously rebooting after installing Intel’s Spectre/Meltdown patch. Now, Intel seems to be giving up on those patches entirely. In a post today, executive vice president Navin Shenoy announced that Intel had located the source of some of the recent reboot problems and is recommending users skip the patches entirely until a better version could be deployed.

“We recommend that OEMs, cloud service providers, system manufacturers, software vendors, and end users stop deployment of current versions on specific platforms,” Shenoy wrote, “as they may introduce higher than expected reboots and other unpredictable system behavior.”

Congress is starting to ask hard questions about the fallout from the Meltdown and Spectre vulnerabilities. Today, Rep. Jerry McNerney (D-CA) sent a letter requesting a briefing from Intel, AMD, and ARM about the vulnerabilities’ impact on consumers. Embedded below, the letter indicates a newfound interest from Congress in the industry’s response to the bugs, and a potentially ominous sign if lawmakers aren’t satisfied with the companies’ answers.

The two vulnerabilities are “glaring warning signs that we must take cybersecurity more seriously,” McNerney argues in the letter. “Should the vulnerabilities be exploited, the effects on consumers’ privacy and our nation’s economy and security would be absolutely devastating.”

Intel is running into problems protecting its chips from the major Meltdown and Spectre vulnerabilities that became public last week. The company has been warning customers of three specific flaws in a recent firmware update and recommending that customers hold off installing the patch, according to emails first reported by The Wall Street Journal. According to a follow-up announcement by Intel, the issue may cause reboot issues in systems running older Haswell chips.

Intel has been aware of the Spectre issues since June, but rewriting processor firmware to address the vulnerability proved to be a significant challenge. The company has committed to protecting 90 percent of its CPUs produced in the last five years, with patches to be deployed by January 15th, but technical issues have marred those patches across the board. Earlier this week, Microsoft had to halt the deployment of AMD’s Spectre patches after they rendered some computers unbootable.

AMD’s initial response to the Meltdown and Spectre CPU flaws made it clear “there is a near zero risk to AMD processors.” That zero risk doesn’t mean zero impact, as we’re starting to discover today. “We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat,” says Mark Papermaster, AMD’s chief technology officer.

AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors “over the coming weeks.” Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these. AMD isn’t saying whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not.

Intel CEO Brian Krzanich has penned an open letter to the rest of the technology industry, addressing concerns over the two major CPU security flaws. Intel has been issuing cleverly-worded statements, and altering its guidance on performance issues related to security fixes, but the company now says it’s ready to be transparent. “As we roll out software and firmware patches, we are learning a great deal,” admits Krzanich. “We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique.”

Intel is committing to providing updates for at least 90 percent of CPUs produced in the last five years by January 15th, and the rest by the end of January. Whether end users will get those updates is another story, as most PC makers have poor update systems in place for firmware updates. While Microsoft chooses to distributes Surface firmware updates through Windows Update, most PC makers use their own separate software rather than Windows Update.

When Graz University of Technology researcher Michael Schwarz first reached out to Intel, he thought he was about to ruin the company’s day. He had found a problem with their chips, together with his colleagues Daniel Gruss, Moritz Lipp, and Stefan Mangard. The vulnerability was both profound and immediately exploitable. His team finished the exploit on December 3rd, a Sunday afternoon. Realizing the gravity of what they’d found, they emailed Intel immediately.

It would be nine days until Schwarz heard back. But when he got on the phone with someone from Intel, Schwarz got a surprise: the company already knew about the CPU problems and was desperately figuring out how to fix them. Moreover, the company was doing its best to make sure no one else found out. They thanked Schwarz for his contribution, but told him what he had found was top secret, and gave him a precise day when the secret could be revealed.

If you’re a regular Chromebook user and worried about the Meltdown bug endangering your data, Google has published a table on the Chromium Wiki detailing which devices are vulnerable, which aren’t, and which have been patched. You can read it in full here.

If the table says “Yes” or “Not needed” in the column labelled “CVE-2017-5754 mitigations (KPTI) on M63?” then the device is safe. If it says “no,” then it’ll need an update to make things right. And if it says “EoL” (meaning “end-of-life”) then that update is never coming because the device is no longer supported.

Intel hasn’t had the best of times recently. Meltdown and Spectre security flaws have helped reveal fundamental issues with processor designs over the past 20 years, and the software updates to protect PCs will have performance impacts. Even as I write this, it’s still not clear to anyone exactly how bad these performance impacts will be for older desktop systems, or how significant they’ll be to server-based cloud platforms. It’s all a bit of a mess, and Intel hasn’t helped with its lack of transparency. It’s time for Intel to stop hiding behind cleverly worded statements.

Intel’s first response to the initial Meltdown and Spectre rumors was an angry blog post that provided few details, and claimed “performance impacts are workload-dependent,” and that they “should not be significant” to the average computer user without even a mention of potential server problems. Intel made it clear it wasn’t the only chipmaker affected by the issue, and the buzz over performance issues continued.

Microsoft is taking the surprise step of detailing how Spectre and Meltdown firmware updates may affect PC performance. The tech industry has been scrambling to issue updates to protect against the two CPU security flaws over the past week, and there have been many reports of potential performance issues. The good news is that for modern PCs running Windows 10, most consumers won’t notice a significant difference. If you’re on an older machine, particularly a Windows 7 or Windows 8 one, then there’s going to be some noticeable performance changes.

According to Microsoft, Intel Haswell processors and older will be impacted the most by a series of firmware updates designed to protect against the Spectre CPU security flaw. Intel has been working with PC makers to ready firmware updates, but it’s fair to say most machines do not have these installed just yet. These updates will impact PC performance, but the level of impact depends on what that PC is doing and how old it is. Microsoft warns that most benchmarks we’ve seen reported “do not include both OS and silicon updates.”

Microsoft has paused distributing its Meltdown and Spectre security updates for some older AMD machines after reports of PCs not booting. Microsoft’s support forums have been full of complaints from PC owners with AMD processors, and the software giant has acknowledged the issues today. Microsoft is blaming AMD’s documentation for the unexpected problems.

“Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates,” says a Microsoft spokesperson. “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

Speaking today at Intel’s big CES keynote, CEO Brian Krzanich addressed the biggest issue Intel faces today: the security and speed issues surrounding Meltdown and Spectre. “Want to thank the industry for coming together ... to address the recent security research findings reported as Meltdown and Spectre,” Krzanich said, calling the response to the issues a “collaboration among so many companies.”

He promised that “for our processors and products introduced in the past five years, Intel expects to issue updates for more than 90 percent within a week, and the remaining by the end of January.” As for the impact that those updates will cause to performance, Krzanich stuck to Intel’s line that “we believe the performance impact of these updates is highly workload dependent,” though that “some workloads may experience a larger impact that others, so we’ll continue working with the industry to minimize the impact on those workloads over time.”

Apple has released three new security updates aimed at protecting Safari and WebKit from the Spectre attack. The three updates make changes to iOS, macOS, and Safari itself, but in each case, the stated goal is protecting Safari and the underlying browser engine against attacks exploiting the recently published Spectre vulnerability.

Few further details are available on the updates, although Apple’s description indicates the purpose of the updates is to protect against Spectre attacks. The researchers responsible for discovering the bug, including Google’s Jann Horn, are thanked in the acknowledgments.

As the technology industry continues to react to two major CPU bugs, we’re starting to see early signs of performance issues from security patches designed to fix the problems. Epic Games has released a chart of CPU usage after it patched its back-end services to address the Meltdown vulnerability. It shows a roughly 20 percent increase in CPU utilization, immediately after the patches were applied. The company released the chart to “provide a bit more context” around recent login issues and stability with its Fortnite game.

“All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability,” says an Epic Games spokesperson in a forum post. “We heavily rely on cloud services to run our back-end and we may experience further service issues due to ongoing updates.” Epic Games warns that issues may continue next week as the company works with cloud providers to address the issues and prevent further problems arising.