I’m increasingly skeptical of security holes that have their own logos and PR campaigns. Yesterday’s sudden snowballing of disclosures about two groups of vulnerabilities, now known as Meltdown and Spectre, has led to enormous numbers of reports of varying quality, and widespread panic in the streets. In the case of Intel's stock price, that's more like blood in the streets.
While it’s true that both vulnerabilities affect nearly every computer made in the past two decades, it’s also true that the threat — especially for plain-vanilla Windows users — isn’t imminent. You should be aware of the situation, but avoid the stampede. The sky isn’t falling.
How the Meltdown and Spectre flaws were discovered
Here’s how it all unwound. Back in June 2017, a security researcher named Jann Horn, working for Google’s Project Zero team, discovered a way for a sneaky program to steal information from parts of a computer that are supposed to be off limits. Horn and Project Zero notified the major vendors — Google, of course, as well as Intel, Microsoft, Apple, AMD, Mozilla, the Linux folks, Amazon and many more — and a quiet effort began to plug the security holes without alerting “the bad guys.”
Although the Linux community leaked details, with the KAISER series of patches posted in October, few realized the enormity of the problem. By and large, people in the know agreed to keep it all quiet until Jan. 9 — this month’s Patch Tuesday.
On Monday, Jan. 1, the beans started spilling. An anonymous poster calling him/herself Python Sweetness put it out in the open:
There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.
John Leyden and Chris Williams at The Register turned the leak into a gush on Tuesday, with details about the effort to plug the Meltdown security hole:
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.
Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: These changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.
By Wednesday, the Patch Tuesday gag was thrown to the wind, with a definitive statement by Google’s Project Zero, festooned with official logos (“free to use, rights waived, via CCO”) and metric tons of ink followed. There are thousands of explainer articles circulating at the moment.
The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.
Those of you hating on Intel should note that there’s plenty of blame to go around. That said, I still cast a jaundiced eye at CEO Brian Krzanich selling $24 million in INTC stock on Nov. 29.
Microsoft releases Windows patches
Yesterday evening, Microsoft released Windows patches — Security-only Updates, Cumulative Updates, and Delta Updates — for a wide array of Window versions, from Win7 onward. See the Update Catalog for details. (Thx, @Crysta). Note that the patches are listed with a “Last Updated” date of Jan. 4, not Jan. 3, the nominal release date. The Win7 and 8.1 patches are Security Only (the kind you have to install manually). I’ve been assured that the Win7 and 8.1 Monthly Rollups will come out next week on Patch Tuesday.
The Win10 patch for Fall Creators Update, version 1709, contains other security fixes besides those related to Meltdown. The other Win10 patches appear to be Meltdown-only. Those of you running the beta version of Win10 1803, in the Insider Program, have already received the patches.
BUT… you won’t get any patches installed unless and until your antivirus software sets a specific registry key. (It now appears as if the value of the key doesn’t matter; just the presence of the registry entry turns on Meltdown protection. Thx, @abbodi86, @MrBrian.) If you’re running third-party antivirus, it has to be updated before the Meltdown patch installer will run. It looks as if there are known problems with bluescreens for some antivirus products.
There are also cumulative updates for Internet Explorer 11 in various versions of Win7 and 8.1 listed in the Update Catalog. The fixes for Win10, and for Edge, are inside the respective Win10 cumulative updates. Microsoft has also released fixes for SQL Server 2016 and 2017.
Windows XP and Server 2003 don’t yet have patches. No word on whether Microsoft will release those sooner or later.
Kevin Beaumont, @GossiTheDog, is maintaining a list of antivirus products and their Meltdown-related problems. On Google Docs, of course.
Meltdown and Spectre facts
With all the news swirling, you might feel inclined to get patched up right now. I say wait. There’s a handful of facts that stand in the way of a good scare story:
- There are no active exploits for either Meltdown or Spectre, although there are some demos running in labs.
- Updating Windows (or any operating system, including macOS and ChromeOS) isn’t sufficient. You have to install firmware updates, too, and none of the major PC manufacturers have firmware updates. Not even Microsoft.
- It’s unclear at the moment which antivirus products set the magic registry key, although Windows Defender appears to be one of the compliant products.
- If the world were ending, Microsoft would’ve released Monthly Rollups for Win7 and 8.1, yes?
In addition, we have no idea how these rushed-to-market patches are going to clobber the billion or so extant Windows machines. I’m already seeing a report of conflicts with Sandboxie on AskWoody, and Yammer going offline isn’t reassuring.
It’s possible Microsoft’s kernel team has pulled off another change-the-blades-while-the-blender-is-running feat. But it’s also possible that we’ll hear loud screams of pain from many corners today or tomorrow. The anticipated performance penalty may or may not pan out.
There's an enormous amount of official Microsoft documentation:
- Security Advisory ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities
- Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities (which includes the warning about firmware updates)
- Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities (which includes a PowerShell script to see if your machine is protected)
- Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer
- Important information regarding the Windows security updates released on January 3, 2018 and antivirus software
- Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
- SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Just about every hardware or software manufacturer you can name has its own warnings/explanations posted. I found AMD's response (basically, Meltdown poses "near zero risk" on AMD chips) particularly enlightening. Reddit has a megathread devoted specifically to the topic.
Grab a box of popcorn and join us on the AskWoody Lounge.