Recent press reports talk about a newly discovered form of security threat that involves attackers exploiting common features of modern microprocessors (aka chips) that power our computers, tablets, smartphones, and other gadgets. These attacks, known as “Meltdown” and “Spectre”, are getting a lot of attention. People are (rightly) concerned, and it’s of course very important to apply all of the necessary software updates that have been carefully produced and made available.
Meltdown and Spectre are impressively ecumenical in their ability to create havoc, affecting devices running nearly every desktop and mobile operating system. And while software patches can mitigate the effects for now, the long-term solution involves fundamental changes to CPU design that could take years to reach the market. One week after the (premature) public disclosure of the details of these attacks, we now know enough to survey the threat landscape and plan the long-term response.
So at the very basic level, what's at risk here? Essentially, Meltdown allows malware to gain access to protected memory within your CPU, areas within your processor that should be impossible to access. Sensitive data of just about any description is potentially accessible. Spectre offers another vector in acquiring sensitive data, to the extent that, although more difficult to deploy, it may well be causing headaches months or even years from now.
The first order of business is: Don't panic. The tech press loves to treat security incidents like this one as apocalyptic but the reality is you have time to devise a comprehensive response. "Ready, fire, aim" is rarely a good strategy, especially when there are no known exploits in the wild at this time.
So what to do at this time of crisis? As we said earlier, DON'T PANIC and follow our instructions to fight this situation as listed below:
- Some of the worst flaws can be fixed with UEFI firmware and BIOS updates, using microcode supplied by the maker of that component and adapted for each specific PC model. In the case of Microsoft Surface devices and Apple-branded hardware, these updates arrive along with regular security and reliability updates and thus don't require additional steps beyond your normal patching policy. For third-party hardware, you might need to go through significant extra work to find out whether your devices are eligible for a firmware update and, if so, when that update will be available. Don't expect firmware updates to arrive in the next few days or even weeks. This type of code change requires extensive testing, and every PC maker has a different approach to the problem.
- Re-examine every layer of information security infrastructure in your organisation or at homes. Most of the third party security suites are not good enough to tackle every problem word throws at us. Also, few of them will be alert enough to pass on security patches for all the latest threats before they even hit our shelves.
What we have at the moment is only a small sliver of data on what may well be just the first of a range of patches, but in the here and now, there's good news and bad news.
The good news is that performance is holding up: our tests here artificially push CPU performance to the forefront in a world where the GPU is the primary limiting factor in gaming. And even here, only one game sees an appreciable hit to performance and even that is in one part of a very well-optimised game that we've specifically chosen for CPU stress-testing. Most of The Witcher 3 plays much more smoothly.
The bad news is Spectre. First of all, the full extent of the issue and its potential exploitation could mean that it's an issue for years to come, but in the short term, the question is the extent to which microcode updates will roll out to older systems - and by extension, whether mainboard manufacturers will patch up older generation CPUs. In a world where vintage-2011 Sandy Bridge processors like the classic Core i5 2500K are still widely used in gaming PCs, should users now take the opportunity to upgrade? Alternatively, with so many of these CPUs in use, maybe Intel and the mainboard manufacturers have a duty to ensure that these systems are as secure as they can possibly be? We'll be following the situation closely over the following weeks and months as the full extent of the issue - and the remedies deployed - come into sharper focus.
0 Comments