That start of the year could have been better, tech-wise, since one of the biggest security flaws in computing history was made public, affecting almost all computers on the planet, and what’s worse: it’s a hardware-flaw so it can’t be fixed, or can it?
This blog is intended as a go-to place to track back on the news, fixes, tools and basically everything there is to know about these CPU vulnerabilities which are called ‘Meltdown’ and ‘Spectre’. I intend to update this post with more links to interesting new findings as this story develops…
First of all: what is Meltdown and Spectre?
For the first time in history (as far as I can recall anyway) a security flaw has been discovered in hardware instead of the software running on it. The most important hardware of all in fact: the CPU that runs your computer. The threat affects basically any CPU on the market (even the CPU’s of mobile devices!!), with the Meltdown threat seemingly mainly aimed at Intel silicon specifically.
In this comprehensive article from ArsTechnica you can read up all about how the flaws work and how and if they can be patched:
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
Immediate concern is for Intel chips, but everyone is at risk.
Check if you’re protected
Windows Central has cooked up a pretty comprehensive tutorial on checking your system for these vulnerabilities, and that includes a guide and explanation on how to fix the vulnerabilities. They note that several patches have to be in place before you can be considered safe, like BIOS/UEFI updates as wel as OS patches. And make sure to deactivate your AntiVirus application if it is a third party one…
How to check if your PC is protected from the Meltdown and Spectre exploits
In this guide, we show you the steps to make sure your device has the necessary patches against Meltdown and Spectre security flaws found in modern microprocessors, and we’ll tell you what to do if your PC is still vulnerable.
Since these Meltdown and Spectre and their corresponding patches became public, much talk has been going on about the performance impact. Because said patches would affect your computer with up to a 30% performance decrease. Shortly after all this buzz Microsoft had its first telemetry data available and published data on how exactly this performance impact pans out for various specific combinations of silicon and Windows versions. Go check it out (and a lot more other info) here in an extensive blog-post from Terry Myerson (Microsoft exec.):
Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems
Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog,
Careful with AMD CPU’s!
It appears that even AMD CPU’s were affected and the OS level patches that Microsoft rolled out to AMD powered PC’s didn’t really help out, because it caused some AMD systems to run into BSOD’s after that. Since that MSFT has paused these mitigations and is researching the issue. Meanwhile AMD itself has reported that they will release some Spectre (firmware) mitigations of themselves, starting this week:
AMD will issue Spectre fixes of its own starting this week
AMD will begin issuing optional updates to guard against Spectre vulnerabilities later this week, the company said in a new blog post.
Intel released a fix for Spectre, but a botched one…
The most severe of the threats -Spectre- has to be fixed on a BIOS / Firmware level, so by Intel. But as Intel is not a software company, it did quite a horrible job at coding a fix, even causing BSOD’s in a lot of cases. The patch was in fact so buggy that Microsoft had to jump in and disable it via a counter patch to protect its Windows users from it.
Anyway, read all about that here on the linked story below:
Microsoft patch deactivates Intel’s buggy Spectre fix
An out of band patch released by Microsoft over the weekend disables Intel’s buggy Spectre patch.
Another Intel exploit surfaces…
And if Meltdown and Spectre weren’t enough, FSecure has unearthed another vulnerability regarding Intel driven systems. The new vulnerability was found in Intel Active Management Technology (AMT) that allowed any hacker to bypass the login and security screen to gain access in just 30 seconds. However, before you start panicking about this quite severe threat, you need to know that anyone who want’s to exploit this, needs physical access to you computer to get into the BIOS. Even then, if your BIOS has been locked with a secure password (not the default ‘admin’ or alike), the hacker is not gonna get in…
Again, read more about it in this MSpoweruser article:
New Intel issue will let hackers gain full access to your PC in 30 seconds – MSPoweruser
While the world was recovering from the Meltdown and Spectre vulnerabilities, F-Secure found a new security issue which will allow hackers to gain full control of the laptops in merely 30 seconds. The new vulnerability was found in Intel Active Management Technology (AMT) that allowed any hacker to bypass the login and security screen to gain …
Update: Upcoming Intel chips will be redesigned to guard against Spectre and Meltdown
Finally, after over two months since the Spectre and Meltdown vulnerabilities were disclosed, the CEO of Intel has confirmed that it’s working on mitigating these vulnerabilities on the actual architectural level, by means of ‘partitioning’, of it’s upcoming Xeon and eight generation Core processors which will become available later this year:
Intel is redesigning its processors to guard against Meltdown and Spectre
Intel is going down to the hardware level to guard against Spectre with its upcoming processors.