Spectre and Meltdown: CPU bugs put a scare in the air

Meltdown and Spectre: With all the screaming hype about this pair of CPU bugs, you’d be forgiven for thinking the sky is falling. But it might even be worse than you thought.

For starters, patching all your PCs might be incredibly hard. Second, we’ll probably see more vulnerabilities in the Intel Instruction Set Architecture (ISA). And third, it’s entirely possible that hackers have been secretly exploiting these problems for years.

So hold on to your hats. In this week’s Security Blogwatch, we overheat some ghosts.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Scott Bradlee returns to his roots 

The State of Security Operations

What’s the craic? Ingrid Lunden reports from Lost Wages—patches will come to 90%+ of chips in the next week:

With the microchip processing industry facing perhaps its biggest security scare in its history…Brian Krzanich [CEO] of Intel, took to the stage…at CES to say a few words about the news. … Intel expects to issue updates to its processors soon. More than 90 percent will be getting them within the week, and the rest by the end of January.

Krzanich’s words represented a strong shift from the usually upbeat tone of Intel’s CES keynote speeches.

What, if anything, will Intel do differently in future? Mike Rogoway lights the way—Intel reorganizes amid tumult:

Brian Krzanich told employees Monday that he will create a new internal security group. … Krzanich reassigned several top executives to the new organization.

Leslie Culbertson will run the new group, called Intel Product Assurance and Security. … Josh Walden, head of Intel's new technology group, will leave that post to work for Culbertson. … Additionally, Krzanich assigned Steve Smith, an Intel vice president … to Cublertson's new organization.

But Thomas Claburn ignites this confession: [You’re fired—Ed.]

After spending last week insisting that the performance impact … "should not be significant," Intel on Tuesday tried to maintain that stance even as it acknowledged SYSmark tests assessing post-patch slowdowns ranging from [2] to 14 per cent. [But] so much consumer and business computing relies on cloud-based servers, which … have exhibited slower response times and increased CPU utilization.

Intel's downplaying of meaningful consequences … appears to have become unsustainable after Red Hat … said the impact … ranged from 1 to 20 per cent in its benchmarks and Microsoft … said something similar. … Terry Myerson, president of Microsoft's Windows and device group, did confirm [that] with Windows 10 running on older hardware … "we expect that some users will notice a decrease in system performance."

So how will we install these Intel microcode updates? Will they be included in the Windows and Linux patches? Here’s danieldk:

The microcode update is … lost between reboots.

The only way to make microcode updates stick between reboots is with a BIOS/EFI firmware update. … Then the microcode update gets applied during every boot automatically.

Oh brother. Does that mean IT has to update the firmware in every PC? Bruce Schneier pontificates depressingly:

Some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong.

In November, Intel released a firmware update to fix … another flaw in its microprocessors. But it couldn't get that update directly to users; it had to work with the individual hardware companies, and some of them just weren't capable of getting the update to their customers.

Some patches require users to disable the computer's password, which means organizations can't automate the patch. Some anti-virus software blocks the patch, or -- worse -- crashes the computer.

These aren't normal software vulnerabilities. … These vulnerabilities are in the fundamentals of how the microprocessor operates. … Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

More is coming -- and what they'll find will be worse than either Spectre or Meltdown. … These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

Sigh. Is it even worth it? Here’s kev009:

This new ucode changes fencing and branching prediction semantics.

While most people should run the new ucode and pending kernel and toolchain fixes, not all must. Most businesses buy computers on rated performance, and they are about to take an unexpected performance haircut.

Okay, but can we just step back and look at the big picture for a moment? Here’s tptacek:

Can I put a plug in again for how ****ing cool the Meltdown and Spectre attacks are? They're much more interesting than just cache timing, which … have been well-known for at least a decade.

* Meltdown and Spectre involve…instructions that from the perspective of the ISA never actually run.

* Spectre v1 undermines the entire concept of a bounds check. … There might not be a clean fix! Load fences after ever bounds check?

* Spectre v2 goes even further than that, and allows attackers to literally pick the locations target programs will execute from. … And look at the fix to that: retpolines? Compilers can't directly emit indirect jumps anymore?

It's good that we're all recognizing how big a problem cache timing is. … But Meltdown and Spectre are not simply cache timing vulnerabilities; they're a re-imagining of what you can do to a modern ISA by targeting the microarchitecture.

“May you live in interesting times.” Kevin Beaumont brings us this important information:

It’s … my first month … as a security vulnerability manager at my new job. Hello. It has been an interesting week.

Last week, Microsoft issued January’s cumulative security fixes. … These updates came with many caveats, and the Microsoft knowledge base articles have had extensive edits since publishing.

On Windows Server, the Meltdown and Spectre patches don’t actually do a thing. … Unless you actually add [three registry] keys the patches don’t actually enable the CPU mitigations.

My belief is organisations shouldn’t rush these patches out. They need to carefully test and see where they need to mitigate the vulnerability.. … Organisations need to carefully assess and manage their situation.

Especially if their PCs run AMD CPUs. Amirite? All you need to know is in Tom Warren’s headline—Microsoft halts AMD Meltdown and Spectre patches after reports of unbootable PCs:

Microsoft has paused distributing its Meltdown and Spectre security updates for some older AMD machines after reports of PCs not booting. … Microsoft is blaming AMD’s documentation for the unexpected problems.

How have we not known for ages about problems with speculative execution? Andy Greenberg wonders if perhaps we have:

Security researcher Anders Fogh, a malware analyst for German firm GData, in July wrote … that he had been exploring a curious feature of modern microprocessors called speculative execution. … Perhaps, Fogh suggested, that out-of-order flexibility could allow malicious code to manipulate a processor to access a portion of memory it shouldn't have access to.

July 2017? That’s nothing, according to Steve Gibson:

What's Old is New Again ... 1995: "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems." … on page 9 under section "4.2 Security Flaws": Item 6. Prefetching may fetch otherwise inaccessible instructions in Virtual 8086 mode. (From a paper in 1992!) -- 25 years ago.

1992? That’s nothing, according to Antique Geekmeister:

I'm following an intriguing discussion of similar side-channel attacks on Multics systems on GE hardware in roughly 1970. It's not a new problem. I've been trying to explain repeatedly to some colleagues while reviewing these attacks that doing "speculative compilation" is very appealing at first glance, but the work involved in doing it is not free. Security risks and maintenance of the resources are critical and related costs of such optimization.

The moral of the story? Don’t expect things to get better in 2018. This could be the tip of an extremely cold iceberg.

And finally …

You’ve Got a Friend in Me

 Scott “Postmodern Jukebox” Bradlee returns to his roots

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

The State of Security Operations

Image source: Alexandra (cc0)

Topics: Security