Meltdown and Spectre: ‘worst ever’ CPU bugs affect virtually all computers

maheshn

Journeyman
In depth details about the bugs, patching used and how it affects perfomance.....


Here’s how, and why, the Spectre and Meltdown patches will hurt performance
 

quicky008

Technomancer
There's been a lot of ruckus and conflicting reports about meltdown and specter in the tech communities of late-from what i've read so far,it seems protection against the meltdown bug can be implemented at OS level in the form of hotfixes and patches.Unfortunately however this doesn't seem to be the case with Specter for which one the only known fix(atleast partially)is to install some kind of microcode update that is being issued by the cpu manufacturer(Intel in this case i believe).

However microcode updates have to be incorporated into the bios and then one must update their motherboard's bios itself to enable the safeguards to take effect-but so far majority of motherboard manufacturers have only issued bios updates for newer generation of intel cpus,leaving users of older systems(especially those still using hardware that dates back to 2012 or older)out in the cold;it seems for such users,there's very little chance that they will ever receive any bios updates to resolve this major flaw with their cpus.

As the owner of 2-3 such systems (that use older intel cpus),this makes me really concerned as to how long can i continue using them without being affected by the specter bug(or any of its variants)in the foreseeable future.I don't think any bios updates will ever be released for such older platforms-so what is someone supposed to do in that case?Even if bios updates are released eventually,it will not be possible for everyone to install them seamlessly either as updating the bios is risky and it might brick an older device that's out of warranty.

Also its just as difficult for everyone to retire such older hardware and opt for newer,more secure products immediately as that entails a significant expenditure of time and money.So are there any workarounds or alternative fixes of the specter bug.It seems operating systems like Windows and linux are capable of loading cpu microcodes during boot-so can the microcode updates be implemented in the OS itself instead of the bios so that updating the bios is no longer required?

What problems are someone likely to face if he is still using an unsecured system when exploits that take advantage of these vulnerabilities start becoming more common in the near future?I'd appreciate if someone could throw some light on this matter as its confounding(and scary)to say the least.

(ps- apologies for the lengthy post)
 

whitestar_999

Super Moderator
Staff member
Here is the summary I gathered from reading some quite detailed reddit & wilders thread:
6th gen & newer intel processors+win 10=least impact
4th gen & older intel processors+win 10=more impact
4th gen & older intel processors+win 7/8=most impact

Win 10 works differently from win 7/8 which increases the performance impact on these older windows versions.Similarly 7th & 8th gen intel processors have more efficient architecture which results in lesser impact on performance compared to older gen intel processors.

SSD performance(especially random/4k read write) is most likely affected(on some systems even by 20-30% in random/4k read write) in all scenarios.

These vulnerabilities basically allow a malicious script running in a browser to access all data in memory & cache meaning any password entered in any browser/program window or saved login info in any browser cookies & any password in ram(e.g.password managers,keystroke scramblers,encryption software etc) can be accessed.Security experts believe that as of now there are no such scripts that are being used in real world exploiting these vulnerabilities but potential is there.

Meltdown bug affects only intel processors while Spectre bug affects almost all processors though exploiting Spectre bug on AMD processors is much more difficult compared to Intel processors.

Best solution to above is:Only open one browser window(in entire system aka no other browser/tab) to surf important financial transaction related sites(like bank sites) in incognito/private mode & after completing your task,close the browser & wait for a few minutes so nothing remains in ram or hdd related to that browsing session.Of course delete all saved passwords/login info related to important sites from all browsers too.Always use latest version of any browser & keep your windows & AV updated.
 

quicky008

Technomancer
does it still make sense to get an used Xeon or a Core i series cpu for a cheap gaming or workstation build now,given that the recently unveiled meltdown and specter bugs are known to make them highly susceptible to various security exploits? Can using one of the chips that are known to be affected by these bugs(esp. Specter which is targeted at intel cpus)seriously compromise the security of a system?
 

quicky008

Technomancer
Thanks for the comprehensive explanation,whitestar_999-will keeping the OS up-to-date with the latest patches provide any level of protection at all against meltdown and specter(even on older systems that dont have the latest bios installed)?Also is it true that even if a system has been compromised by any of the aforesaid exploits,it wont be detected by any av or security program as they can bypass them all by exploiting a flaw in the cpu's architecture?
 

whitestar_999

Super Moderator
Staff member
Forgot to add one thing,not all software patches are available for 32bit windows.

Yes,software patches in combination with BIOS updates only will provide all levels of protection against "currently known" methods of exploiting these vulnerabilities(currently known methods are not all the possible methods to exploit these vulnerabilities as per many security researchers). Linux doesn't require BIOS updates like windows as one can patch cpu microcodes on reboot with a linux kernel unlike windows which must need cpu microcodes in updated BIOS to run them in windows.

These vulnerabilities can allow javascript running in a browser to access all information in memory.This is not installation of something because nothing actually came to your system & that is why it can not be detected by any current AV/similar software.The malicious javascript is running on a remote server & your browser is merely translating this javascript to machine instructions & simply reading data in memory(no modification/deletion/corruption of files etc). Once you close the browser window it is gone leaving no trace behind.
 

whitestar_999

Super Moderator
Staff member
The tools mentioned in above link are not exactly meant for typical home users & probably why microsoft actually added InSpectre tool to dangerous program in its WD database as well as smart screen filter.In any case as long as bios update is not released for your desktop mobo bios/laptop bios,there isn't even any need to check as that automatically means a system is vulnerable.
 

topgear

Super Moderator
Staff member
I'm not scared but not ignorant either. My guess like other this flaw is there for a long time and for a reason for security agencies to steal data and at-least wannacry type thing did not spread through such cpu bug.
This bug only discovered now and what else is there on the processor to steal data god only knows.

I'm still on win7 so using a browser incognito mode is all I can think off. But this new bug sure will increse the sell of 'new' hardware by a big margin especially corporate client base where there are many old computers still in use as they don't need any extra processing power or a new OS but for safe guarding data they may incline more towards cluoud solutions or newer hardware and the same goes for many of us ie getting newer hardware - so I can see this as a security breach and at the same time a business plan.
 

whitestar_999

Super Moderator
Staff member
I'm not scared but not ignorant either. My guess like other this flaw is there for a long time and for a reason for security agencies to steal data and at-least wannacry type thing did not spread through such cpu bug.
This bug only discovered now and what else is there on the processor to steal data god only knows.

I'm still on win7 so using a browser incognito mode is all I can think off. But this new bug sure will increse the sell of 'new' hardware by a big margin especially corporate client base where there are many old computers still in use as they don't need any extra processing power or a new OS but for safe guarding data they may incline more towards cluoud solutions or newer hardware and the same goes for many of us ie getting newer hardware - so I can see this as a security breach and at the same time a business plan.
It is nothing but trading speed for security especially by Intel.The reason why Intel processors,especially since core2duo era,are on an average always faster than AMD processors is because of the sacrifices Intel made on security front to keep their processors ahead of AMD.Because of this reason Intel processors are affected by Meltdown bug but not AMD processors & also the reason why Intel processors are much more susceptible to Spectre bug than AMD processors.

No new hardware(aka processor) immune against Spectre is going to be launched in the market for at least 2-3 years because it requires a complete rewriting of cpu architecture which neither Intel nor AMD can do even in a year.Also "Cloud hardware" is much more affected by these bugs because unlike consumer desktop/laptop,cloud hardware runs shared servers & now anybody can rent a cheap server to run on some of the biggest cloud service hardware providers & potentially exploit these bugs to access crucial information from other servers of companies/organizations running on same cloud hardware.That is also the reason why some cloud service become slow after application of these patches because unlike consumer systems they don't have the luxury of not installing patches & waiting for things to clear.

Right now AMD hardware is the better option to buy even after taking into account its vulnerability to Spectre.
 

Hrishi

******************
It is nothing but trading speed for security especially by Intel.The reason why Intel processors,especially since core2duo era,are on an average always faster than AMD processors is because of the sacrifices Intel made on security front to keep their processors ahead of AMD.Because of this reason Intel processors are affected by Meltdown bug but not AMD processors & also the reason why Intel processors are much more susceptible to Spectre bug than AMD processors.

No new hardware(aka processor) immune against Spectre is going to be launched in the market for at least 2-3 years because it requires a complete rewriting of cpu architecture which neither Intel nor AMD can do even in a year.Also "Cloud hardware" is much more affected by these bugs because unlike consumer desktop/laptop,cloud hardware runs shared servers & now anybody can rent a cheap server to run on some of the biggest cloud service hardware providers & potentially exploit these bugs to access crucial information from other servers of companies/organizations running on same cloud hardware.That is also the reason why some cloud service become slow after application of these patches because unlike consumer systems they don't have the luxury of not installing patches & waiting for things to clear.

Right now AMD hardware is the better option to buy even after taking into account its vulnerability to Spectre.
The day we see a malware exploiting this flaw and becomes publicly available... It will be devastating.

Sent from my ONE E1003 using Tapatalk
 

whitestar_999

Super Moderator
Staff member
Meltdown can be patched at the cost of performance & patching Spectre to some extent is possible provided your intel system mobo is fairly recent(aka at least 6th gen). As for spectre,exploiting it is far more difficult compared to meltdown so its target will most likely be big organizations/lucrative businesses & not home users.
 
Last edited:

quicky008

Technomancer
so if an older system doesn't receive a bios update,does it mean its practically worthless (from a security standpoint)and deserves to be chucked out of the nearest window?This will render a huge number of otherwise high-performance intel cpus obsolete overnight as they belong to older generations/platforms for which no mobo manufacturer will ever release any updated bios files-this very thought itself is disturbing as well as saddening!
 

whitestar_999

Super Moderator
Staff member
Bios update is mainly for Spectre bug,MS windows patches are for Meltdown bug.I have edited my earlier post for clarification.Exploiting Spectre bug is difficult so most likely its target will be big organizations.Spectre bug can be theoretically executed via a mere javascript running in a browser so for safety remove all saved login info related to banking/sensitive sites from all browsers/programs & open only one browser window(no other tab/browser open in system) in incognito/private mode when doing banking/sensitive transactions & close it after logging out & wait for 1-2 minutes before launching same/another browser for usual surfing.Also keep all browsers updated at all time.
 

billubakra

Conversation Architect
The tools mentioned in above link are not exactly meant for typical home users & probably why microsoft actually added InSpectre tool to dangerous program in its WD database as well as smart screen filter.In any case as long as bios update is not released for your desktop mobo bios/laptop bios,there isn't even any need to check as that automatically means a system is vulnerable.
Bios update is mainly for Spectre bug,MS windows patches are for Meltdown bug.I have edited my earlier post for clarification.Exploiting Spectre bug is difficult so most likely its target will be big organizations.Spectre bug can be theoretically executed via a mere javascript running in a browser so for safety remove all saved login info related to banking/sensitive sites from all browsers/programs & open only one browser window(no other tab/browser open in system) in incognito/private mode when doing banking/sensitive transactions & close it after logging out & wait for 1-2 minutes before launching same/another browser for usual surfing.Also keep all browsers updated at all time.

As per the link shared by @Flash How to Check if Your PC or Phone Is Protected Against Meltdown and Spectre my laptop is vulnerable to spectre, will check the pc when I am at home. Few things, how to update bios? I have an Intel processor i5 generation 5th or 6th I guess, how to be sure about it and an Ryzen 1600 in the pc. Is there any need to update the processor's drivers from device manager?
About browser update, I have not saved any of the bank related passwords in the browser and I am not updating the browser as all versions of FF above v56 don't support the older extensions. Well that's the risk I am willing to take.
 

whitestar_999

Super Moderator
Staff member
*i.imgur.com/q8HmfAF.png
Every Intel processor is affected by Meltdown as well as Spectre bug,windows patch is for meltdown bug(it is this patch that reduces performance of intel processors) & 1st variant of Spectre bug that comes through windows update.Bios update of mobo manufacturer only address 2nd variant of Spectre.There is practically no pc processor currently in the world that is not vulnerable against Spectre.That tool only shows "yes" for reason that spectre os patch & spectre bios patch is applied,removing spectre vulnerability requires a new design processor completely different from current processor designs.

@billubakra for intel laptops BIOS update from laptop manufacturer is required for Spectre v2 mitigation but don't be in a hurry because in last few days many laptop manufacturers(incl Dell & HP) had to recall bios updates after many complaints about system reboots & system instability issues.For AMD systems only Spectre patches are required & Spectre v1 patch will be provided by MS through update while Spectre v2 patch require bios update from your system mobo manufacturer.
 

billubakra

Conversation Architect
Every Intel processor is affected by Meltdown as well as Spectre bug,windows patch is for meltdown bug(it is this patch that reduces performance of intel processors) & 1st variant of Spectre bug that comes through windows update.Bios update of mobo manufacturer only address 2nd variant of Spectre.There is practically no pc processor currently in the world that is not vulnerable against Spectre.That tool only shows "yes" for reason that spectre os patch & spectre bios patch is applied,removing spectre vulnerability requires a new design processor completely different from current processor designs.

@billubakra for intel laptops BIOS update from laptop manufacturer is required for Spectre v2 mitigation but don't be in a hurry because in last few days many laptop manufacturers(incl Dell & HP) had to recall bios updates after many complaints about system reboots & system instability issues.For AMD systems only Spectre patches are required & Spectre v1 patch will be provided by MS through update while Spectre v2 patch require bios update from your system mobo manufacturer.
Thanks. Won't update the lappy's bios. My pc has a Asus B350 plus mobo. How to update its bios? Have they released a stable version?
 
Top Bottom