No one likes going back to work after Christmas. The early mornings, the ever-disappointing trains and having to deal with hordes of perpetually grumpy commuters… it all sucks. But just imagine coming back to the office only to discover that the things you make and sell to people all across the globe and form the basis of every PC in the known world have a major security flaw that you can’t really fix. And some of the fixes you can implement may put a serious dent in your PC’s performance.
That’s what happened to the CPU industry this week, and I can only imagine a lot of Intel, AMD and ARM execs are pulling what I’m going to call the ‘Total Recall Arnie scream’ this very moment. Happy New Year!
So what’s this CPU problem all about and what does it mean for you? Well, put simply, it turns out that researchers and security experts have discovered two really quite major flaws in almost every CPU around today. One has been reassuringly dubbed ‘Meltdown’, while the other is being called ‘Spectre’, and both allow hackers to get their mitts on a computer’s entire memory contents, be it passwords, log-ins or other important personal data stuff. It’s not just PCs that are affected either, as the flaw also extends to mobile devices and servers that run various cloud services.
Right now, the Meltdown problem has only been found in Intel chips (plus ARM’s Cortex-A75 mobile processors), but according to The Register, who first broke the news, it might potentially affect all high-performance Intel processors since 1995. That’s a lot of CPUs. Even worse, every x86-64 Intel CPU since 2011 is definitely affected. The only ones that might be safe are Itanium processors and pre-2013 Atom chips.
The New York Times has a pretty comprehensive run-down of how Meltdown actually works, but the good news is that there’s already a Windows software patch that’s available right now. If you haven’t already downloaded it, you probably should. Linux users can also fix it with the following instructions, while Apple’s MacOS should have been patched with update 10.13.2.
The bad news? Said software patch will apparently slow down your CPU’s performance by as much as 30%, which rather takes the shine off those fancy new Coffee Lake chips. Intel, of course, claims this figure is being exaggerated, saying the performance impact will be “work-load dependent” and “should not be significant”, but until I get some benchmarks running it will be difficult to just how much of a hit we can expect to see.
It only gets worse, too, as anyone thinking about jumping ship to AMD to try and evade Meltdown still won’t escape the shadow of Spectre, which has been found in virtually all types of processor, AMD included. Spectre is much trickier to fix, and there’s currently no known solution. As far as we understand it, it might even require an entire redesign of the whole CPU architecture as we currently know it and/or, you guessed it, a total recall of all affected chips. As such, this could be an issue that sticks with us for many more years to come, according to another NY Times reporter.
In truth, CPU companies have known about these threats for a while. The problem was first outed by Google’s Project Zero research last June (the exact findings of which have been published this morning) , and was going to be officially announced next week – presumably so that fixes would be readily available at the same time so people wouldn’t freak out like Arnie up the top there. Only The Register decided to leak it yesterday, no doubt to probably cause a bit of a stink just before the Las Vegas tech fest that is CES begins on Sunday, hence all the panic and commotion happening right now.
Fortunately, there’s been no evidence so far to suggest anyone’s actually taken advantage of these flaws to steal any of our precious data, according to the BBC, who spoke with the UK’s National Cyber Security Centre, but how long that will remain the case is anyone’s guess now it’s all out in the open.
In the meantime, my advice would be to get that security update sorted for Meltdown and hang tight. There’s still a lot we don’t know about these flaws, mostly because the news of their existence has been rushed out ahead of time, and we’ll need some time for the dust to settle before anyone knows how to tackle the truly James Bond villain-sized problem of Spectre.