Meltdown and Spectre are huge vulnerabilities for Intel and others: What you need to know
Two serious security vulnerabilities found in most computer chip designs around the world, dubbed Meltdown and Spectre by a group of academic and industry researchers, has the tech industry scrambling to protect systems, but it looks like consumers will just have to update and pray.
On Wednesday, chip behemoth Intel Corp.
hosted two conference calls, one for industry analysts and another for investors, after acknowledging a major vulnerability that could potentially affect all systems with its microprocessors designed in the past decade or more.
“Someone has figured out a way to exploit the architecture that is built into all modern computer systems,” said Steve Smith, Intel’s engineering lead who is investigating the issues.
Intel emphasized that the vulnerability was “not a flaw” in its chip designs and tried to play down the potential threat to systems or to its business. Executives and engineers on the company’s investor call said they were unaware of the threat actually being exploited and said they did not expect any material impact on the company.
But for consumers, corporate users and IT managers around the world, the potential threat is real. Meltdown is specific only to Intel processors, but Spectre could affect devices with chips from Intel, Advanced Micro Devices Inc.
and ARM Holdings, now owned by SoftBank Group Corp.
The two security flaws, which involve the way processors use different techniques to work as quickly as possible, were disclosed on Wednesday in two papers and a blog post from Alphabet Inc.
Intel first learned of the vulnerability in June but said it took the lead working with software giants and other hardware makers on patches that would negate the effects of Meltdown. Consumers should update their devices when prompted to ensure that updates meant to stop Meltdown are installed, but there apparently is no known cure for Spectre at this time.
Simply put, the vulnerability in Meltdown occurs when the processor uses out-of-order execution, looking ahead to schedule subsequent operations to idle execution units of the processor. The vulnerability in Spectre occurs in speculative execution, where it tries to guess the destination and execute ahead. Both of these operations leave the system memory open to vulnerabilities, researchers discovered.
“The way we designed computers is we tried to make them smart as to where the instructions come from. If the computer has to go out to the drive every time it will be slow,” said Jack Gold, principal analyst with J. Gold Associates. “They go out to prefetch data,” which speeds things up, he said.
Intel disputed parts of The Register’s scoop on the vulnerabilities, especially claims that a fix will slow down performance, saying the “average computer user” would not notice a change. But executives also acknowledged that any fixes could slow down computers, with the change in speed depending on the workloads. That could make a fix especially problematic for large-scale cloud providers like Google, Microsoft Corp.
and Amazon.com Inc.
, which all issued statements on their work to combat the issue.
“It’s an architectural flaw brought about by a design decision made to increase performance, and it’s baked into hardware. The required software fix will slow things down,” said Roger Kay, principal analyst at Endpoint Technologies, in an email. “Now, many performance-oriented tasks, like gaming, don’t switch much between user and kernel levels, but many cloud computing tasks do. And those servers are mission critical. They’re right in the middle of the workflow. Intel has almost all the server hardware locked up. This could open it for others, notably AMD.”
After its shares were bruised badly in morning trading, Intel said in the early afternoon it was working on updating its chip instructions via firmware updates and that software vendors like Microsoft and Linux developers such as Red Hat Inc.
were working on software updates. Countermeasures will work on Meltdown, but one such approach, which would be to disable out-of-order execution, would devastate performance, the researchers wrote. Indeed, Intel said that the patches will slow down performance anywhere from 3% to 30%.
But the researchers noted in their paper on Spectre that “there is currently no way to know whether a particular code construction is, or is not, safe across today’s processors — much less future designs. A great deal of work lies ahead.”
The best advice for now is to never save any passwords in your browser or cache, and take advantage of any and all software and firmware updates from Intel, Microsoft and other providers as soon as possible. The discovery of these vulnerabilities are also likely to affect future microprocessor design, and the performance of data centers, so this story will not go away anytime soon.
Intel stock closed Wednesday with a 3.4% decline at $45.26, and dropped lower than $45 in late trading. Shares are still up nearly 25% in the past year, as the Dow Jones Industrial Average
has gained 26% and the PHLX Semiconductor index
has gained 44.5% in that time.