Security Bits Logo

Security Bits Special – Spectre and Meltdown Update

We felt it was a good idea to bring everyone up to speed on what we know a week later about Spectre and Meltdown instead of waiting for our regularly scheduled Security Bits.

  • We now know we need to keep an eye out for three distinct kinds of updates:
    • OS updates — most major OSes are now patched:
      • Windows 7, Windows 8 & Windows 10 have been patched
        • Microsoft have withdrawn the patch for computers with certain AMD CPUs because of BSODs (arstechnica.com/…). Microsoft are placing the blame for this squarely on AMD:
          “After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown”
      • MacOS High Sierra
      • Linux
      • iOS 11
      • Android (if you can get the patch via the possibly long route between Google and your devices)
      • ChromeOS
    • Browser Updates — all the major browsers are patched, or, patches are on the way
    • CPU Microcode updates (think of them as firmware updates for your CPU) — on the way
      • These will arrive as firmware updates from your motherboard/computer vendor
      • Whether or not you get an update will depend on the kind of CPU you have, and how new it is
      • Both Intel & AMD are working on microcode updates
  • The performance effects are even more variable than we thought last time
    • As we knew last time, the type of things you do on your computer will have a big effect on how much of a slowdown you experience
      • The performance impacts are hitting some cloud providers particularly hard, but there are some exceptions, e.g. Google say they implemented fixes to their cloud services over the last few months with no noticeable performance hit (www.reuters.com/…)
    • Age, make and model of CPU play a really big role in how badly affected you’ll be
      • Numbers from Microsoft show that CPUs from 2015 and older will be much more significantly hit than newer CPUs — cloudblogs.microsoft.com/…
    • There is a silver lining, modern OSes will be able to re-gain a significant amount of performance when the up-coming microcode updates make their way out.
    • OS vendors are focusing on their newer OSes when it comes to adding OS support for the new features coming in the microcode updates, so, as time goes on, your choice of OS will become even more important a factor — e.g. Windows 7 & Windows 8 are not being updated to take advantages of some of the new CPU features, but Windows 10 is.

Links

A Palette Cleanser

  • A tweet showing anti-malware someone left for their parents: twitter.com/…

1 thought on “Security Bits Special – Spectre and Meltdown Update

  1. Christian Lynbech - January 18, 2018

    In relation to effects on servers such as those at Backblaze, one can mention that *if* you have control over all the software that runs on a machine, you can choose to not patch it.

    This will not be the case for a cloud provider that runs applications provided by random customers or end users that run browsers (as Bart explained) but for a Backblaze server it might be worth it to avoid the performance penalty.

Leave a Reply

Your email address will not be published.

Scroll to top