Intel Meltdown And Spectre Explained – How Intel Screwed Up?
2019 July 17th at 1:28
Do you have a computer with an Intel CPU or run a website? If so, you are almost guaranteed to have been affected by two huge vulnerability flaws, potentially revealing all of your sensitive information, such as cryptographic keys, passwords, or files.
Discovered in January 2018 independently by several groups of researchers, Meltdown and Spectre affect seemingly all Intel chips made since 1995.
What do these bugs do? Are you affected? Should you immediately throw away your Intel computer?
Let's find that out.
Update July 2019: Since Intel disclosed the vulnerabilities, it managed to handle them and released Intel editorial on how they reacted. But the flaws did not end with 2018. Intel was experiencing the second wave of attacks in 2019.
What are Meltdown And Spectre?
The discovered bugs are called Meltdown and Spectre. Meltdown works by melting the security boundaries and allowing to read all memory in the affected system. Hence the name Meltdown.
Spectre is like a ghost tricking processors into performing processes they should not be doing.
In simple terms, the two bugs use the errors in CPU features to see the private information and make the computers do the tasks they want.
But Intel Meltdown and Spectre are just singular bugs. There are many modifications of them working to affect different systems. The affected devices even include iPhones, iPads and other mobile devices, as well as any computer.
Since the disclosure, Intel has reacted swiftly to fix these errors - but as time has shown, things were not as simple as it first seemed.
Intel Response To Meltdown and Spectre
When the bugs have been since announced, the CPU maker wasn't publicly taking them seriously. The early Intel response about Meltdown and Spectre has angered a lot of people, solely because it pretty much stated that the bugs do not exist.
Intel believes these exploits do not have the potential to corrupt, modify or delete data.Intel Newsroom, January 2018.
Also, the updates which Intel has issued were not supposed to visibly affect the performance of the processors.
Later on, the company statements became less and less confident, admitting that the impact of performance may be higher than previously thought. This appeared to be true, especially following the statement from Microsoft:
According to them, late-2015 and newer Intel processors with the latest software had few issues. But the combination of older software and hardware suffered some serious decrease in performance.
And that's not the end - the early updates had people noticing not only drops in performance, but also the computers spontaneously rebooting. Intel had advised users to skip the patch and wait for the new one to be released.
In short, Intel has said that the problem doesn't exist - then said that solutions to the non-existent problem were so bad, they shouldn't be used.
And this doesn't stop there. Despite the patches being released, problems continued well into the year. In May 2018, Microsoft, Google, and Intel have disclosed a couple more new chip vulnerabilities. Further updates to fix that have been released.
But it already looks clear that those issues won't disappear so easily - and that they were a systematical error, which might bug us for years to come.
What effect are Meltdown and Spectre having?
In short - Meltdown and Spectre can be used to hack into a system. But the real effect is seen in the Intel fixes instead.
If you're a website owner, you might have noticed some changes in the server performance - because the hosting companies sure did. This information comes from Hostwinds, one of our top-reviewed web and cloud hosting providers.
When asked about the issue, CEO Peter Holden has noted that there were some challenges:
We did notice slight increases in overhead on existing at capacity nodes. We just added new nodes, and migrated clients around to ensure that the service experience is consistent across our infrastructure. We also took the time to apply the recommended bios updates to our impacted servers. This helps to keep our clients secure.Peter Holden, CEO of Hostwinds
To put it in simple terms, Hostwinds has noticed a slight change in performance. It has been solved by adding extra resources and optimizing the accounts in the server, so the overall experience doesn't change by much. Also, there were software updates applied, which would help fix the issue in terms of software.
Another proof real-world effect came from Epic Games - creator of the video game Fortnite. The company has announced that the online platform is experiencing problems. The reason for that? Intel's fixes for the meltdown patch.
In a publicly released picture, we can see the issues their servers had after the first patch.
Here's how different cores act after an update. It appears that one of them (#1) has increased its usage because it is stopping the discovered leak.
So this is where those "performance issues" were coming from!
Overall though, it looks pretty clear. Both your favorite games and hosting providers have most likely felt the negative effect of Meltdown and Spectre bugs. But with a bit of extra work and care, everything appears to have been solved.
What hasn't been solved, however, is Intel's reputation. To be fair, it is no surprise to see the online communities absolutely angry at them.
Here, the notoriously-vocal founder of Linux, Linus Torvalds has been absolutely furious. In a message in Linux kernel mailing list, he was expressing his frustration:
As it is, the patches are COMPLETE AND UTTER GARBAGE. They do literally insane things. They do things that do not make sense. <....> The patches do things that are not sane.
WHAT THE F**K IS GOING ON?Linus Torvalds, Linux Kernel Mailing List, January 2018.
What can you do to avoid Meltdown and Spectre?
Looking to stay protected against Meltdown and Spectre, and thinking about what can you do? In short - you can't do much.
Tech companies have released patches to stop Meltdown and Spectre from causing any additional damage, so make sure your computers are updated to the latest software.
- Windows have released an emergency update in January 2018 and an additional update in May 2018 - we strongly recommend updating your software to the latest version.
- For Mac users, there are bug protections in the macOS version 10.13.2 - so update as well.
- Chromebook users shouldn't be overly worried - they should be automatically updated to Chrome OS 63, which includes all the needed security patches.
If you're a website owner and wish to protect your data, make sure to contact your hosting provider and ask about the measures they've applied. Hosting providers were quick to react and updated as soon as possible. It's no surprise. After all, Meltdown and Spectre attacks work with data going from one part of a computer to the other.
So, if a single device is shared between multiple users, the likely damage multiplies, as a hack affects all of them.
Therefore, changes have been made. cPanel, DirectAdmin, and Plesk panels, running on Intel CPUs, have also been updated to latest kernels. If you're a website owner, currently, there's no serious danger.
2019: Second Wave Of Intel Meltdown Attacks
Since the first Intel Meltdown and Spectre attacks, researchers have been speculating about a new era of computer vulnerabilities.
And they were right.
The patches that solved Meltdown and Spectre issues were not the end of the problems. In May 2019, the second wave of Meltdown attacks was revealed.
Intel has called the new attacks "microarchitectural data sampling." This class of attacks can overcome previous fixes and reach sensitive data such as passwords, encryption keys, etc. despite the mitigations done earlier. New attacks are targeting servers, desktops, and laptops.
But there's something really ironic:
The measures that Intel has taken to stop Meltdown, made hardware even more exposed to the new types of attacks. Older hardware is less vulnerable.
AMD and ARM reported that they were not affected by the new security flaws.
The Effects of the Second Wave Of Intel Meltdown Attacks
Intel yet again has taken measures to prevent further microarchitectural data sampling attacks. It introduced microcode updates and other instruction sequences for software can be used. At the hardware level, Intel has built-in solutions for its 8th and 9th generation processors.
Also, Intel recommends disabling the Simultaneous Multi-Threading (SMT) or otherwise known as Hyper-Threading Technology. It does not prevent the attacks but makes them harder to perform.
Unfortunately, like with the Intel Meltdown and Spectre attacks, the new solutions are also negatively impacting CPU performance.
While Intel records only 1% to 9% performance loss on its Core i9-900K CPU, Apple has more serious troubles. It recorded around 40% loss in performance.
From this, we can say, that hardware updates are unavoidable, as software mitigations are slowing the processors down. From a hosting perspective, even the 9% loss in performance may and will affect the users negatively. It results in slower server response time, hence longer page loading times.
What's next for Intel?
For now, Intel's future looks uncertain. The fight against these bugs continues, but it's a tough one. They affect most of the processors built after 1995, and there are still loads of active devices which are in trouble - some of them might be yours. So in the future, we might hear stories about the bug doing serious real-world damage. After all, new vulnerabilities keep on getting unearthed and we don't know if the issue is fully solved or if something new and critical will come along.
The fixes caused problems too, and if you own an older Intel CPU and run something like Windows 7, or 8, your computer will be noticeably slower. So for Intel users, these bugs should be a good reason to upgrade to a faster chip.
Will it be to a newer Intel model? Many users may jump ship and choose a competitor, such as AMD, which was virtually unscathed by these bugs. Considering the trust in Intel has gone down, this could be a beginning of a darker chapter in this company's history.
We will hear more about it, no doubt. Especially considering there are already several consumer class action lawsuit against Intel, which may reveal some new information and potentially hurt the company financially.
So, to sum it up, Intel has had a rough year couple of years. Is it still worth trusting Intel's products? We'll have to wait and see - or change the CPU and stop worrying.