January 25, 2018 | By Panagiotis Kintis
Earlier in January, two critical vulnerabilities in Intel microchips were disclosed, Meltdown and Spectre. Although several patches have been made available, Intel advised customers on Jan. 23 not to apply firmware patches and instead wait for other updates due to reports of instability. The vulnerabilities continue.
IISP Analyst Panagiotis Kintis: "What is special about Meltdown and Spectre is that they do not affect a single application or a specific protocol, but target modern processors and cause severe memory leaks. Unfortunately, 'modern' refers to almost every processor built since 1995, including the most popular architectures like Intel, AMD, and ARM.
The fact that a computer giant like Intel is 'taking its time' with fixing such a significant vulnerability is really concerning. Systems affected by Meltdown can immediately leak arbitrary data from memory and allow private data to exchange hands. Similarly, Spectre allows remote execution of code that can also leak memory to a third party. These both reminded me a lot of the chaos when the Heartbleed bug emerged, more than three years ago. The big difference is that Heartbleed was fixed with a simple change in the source code of OpenSSL that anybody could patch very easily. Meltdown and Spectre require much more work, from several different vendors, to make sure that processors -- the core of every computer system -- are not vulnerable anymore.
Moreover, the patch Intel provides, instead of being a transparent fix, requires the user to opt-in and enable it before it takes effect. This opt-in mechanism has raised significant criticism. Linus Torvalds publicly complained about Intel's approach, asking for something better. Even though his messages might be a little blunt, I am not sure he is completely wrong. We are facing two very important vulnerabilities, which can leak private data (like passwords, encryption keys, certificates, etc.) and we are asked to just wait. At the same time, the patches Intel has provided seem to affect CPU performance, making it slower than expected. Intel's solution to this issue was to make the customer choose between performance and security. By default, CPU's performance is not affected if the customer does not opt in the vulnerability fix. If the user chooses security though, they will have to forfeit performance.
We have been designing systems, protocols, and applications with performance and efficiency in mind. Security by design almost never has been the norm. We are victims of that approach and we have been trying to solve security problems for years, the cost of which is paramount. Today, Intel is contributing towards the former perspective. The question is, do customers understand how important the tradeoff is?"
For further reading
Meltdown and Spectre patches: https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help