Meltdown and Spectre chip flaw timeline

Just after the turn of the year on 2 January researchers from Google revealed hardware vulnerabilities in the majority of CPUs in the market – and called these Meltdown and Spectre.

Meltdown, Google explains, "breaks the most fundamental isolation between user applications and the operating system.

"This allows a program to access the memory, and the also the secrets, of other programs and the operating system."

The researchers described Spectre as a flaw that "breaks the isolation between different applications" – "it allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.

"In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre."

The flaws affect billions of systems globally across AMD, ARM and Intel designs. The semiconductor industry has worked hand in glove since the vulnerabilities were revealed to try to address them with updates, but these are causing problems of their own – slowing down older systems and even making some PCs unbootable.

Read on to see how the drama has unfurled so far.

2 January - flaws made public

2 January - flaws made public

Google Project Zero researchers John Horn, plus Werner Haas and Thomas Prescer from Cyberus Technology; Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology, first discovered the flaws.

The researchers revealed that the flaws were found in the speculative execution function that is used by most modern CPUs to enhance performance – including those found in AMD, Intel and ARM designs, some of the most prolific chipmakers on the planet.

This is 'Spectre', a class of exploits that run through speculative execution to access locations in an operating system’s memory space.

At the same time, the researchers also disclosed the 'Meltdown' vulnerability which primarily affected Intel x86 microprocessors plus some ARM-based processors. When it was disclosed this was thought to include everything from iOS and Mac devices to Windows and Linux to servers and smart TVs.

3 January - Intel issues statement
iStock

3 January - Intel issues statement

Intel admitted in a statement that its chips were affected by the finding, but rebutted that they were 'bugs' or 'flaws' – see the Register for a tongue-in-cheek translation of the official spin.

Although 'Meltdown' was thought to affect processors dating back to 1995, Intel said in a statement that it "believes its products are the most secure in the world" – however, it did recommend users who might be affected apply a patch as soon as it was made available.

3 January - Linux founder Linus Torvalds takes fire at Intel
iStock

3 January - Linux founder Linus Torvalds takes fire at Intel

Linux founder Linus Torvalds dragged the Intel statement in an email sent to Linux List. In it, he says: "think somebody inside of Intel needs to really take a long hard look at their CPUs, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.

".. and that really means that all these mitigation patches should be written with "not all CPUs are crap" in mind.

"Or is Intel basically saying "we are committed to selling you shit forever and ever, and never fixing anything"?

"Because if that's the case, maybe we should start looking towards the ARM64 people more.

"Please talk to management. Because I really see exactly two possibilities:

"- Intel never intends to fix anything

"OR

"- these workarounds should have a way to disable them.

"Which of the two is it?"

4 January - government and health sectors at risk - report
iStock

4 January - government and health sectors at risk - report

A Bloomberg report detailed how regulated sectors like government and health are most at risk of the flaws because they are more likely to be running older systems. This could negatively impact organisations that rely on legacy systems, as patches threaten to slow them to a crawl.

"This will adversely affect highly regulated sectors, such as the NHS," Michela Menting at ABI Research told Bloomberg. "There’s a whole chain of authority that needs to run before machines can be altered. In addition to this wait time, once the patches are run, they are likely to slow down processing speeds."

4 January - Intel issues second statement to fix \'90 percent\' of affected chips
iStock

4 January - Intel issues second statement to fix '90 percent' of affected chips

In a less confrontational post, Intel claimed that it had made progress with fixing the issues and that it would have 90 percent of PCs patched within a week's time.

5 January – Apple confirms Macs, iPhones and iPads vulnerable
iStock

5 January – Apple confirms Macs, iPhones and iPads vulnerable

Apple said in a blog post that "all Mac systems and iOS devices are affected" by Meltdown but that there are "no known exploits impacting customers at this time".

"These issues apply to all modern processors and affect nearly all computing devices and operating systems," the company stated, adding that it had already put "mitigations" in place for the latest iOS and macOS updates at the time of publishing.

8 January – Intel CEO Brian Krzanich talks Meltdown, Spectre at CES keynote
iStock

8 January – Intel CEO Brian Krzanich talks Meltdown, Spectre at CES keynote

The CEO of Intel, Brian Krzanich, made the unusual move of using his keynote speech at the Consumer Electronics Show in Las Vegas to address Meltdown and Spectre.

He committed to issuing updates for all processors released in the last five years by the end of January. Intel was said to be collaborating with AMD and ARM for the fix.

"For our processors - products introduced in the past five years - Intel expects to issue updates for more than 90 percent of them within a week," Krzanich said, according to CNBC. "And the remaining [updates will be available] by the end of January."

At the same time, Krzanich was reported to have committed to building a new security group within Intel.

9 January Microsoft warns of performance impacts of Spectre and Meltdown
iStock

9 January Microsoft warns of performance impacts of Spectre and Meltdown

Microsoft said that patching systems against the Spectre and Meltdown vulnerabilities could have an effect on performance. It noted that Windows 10 PCs running older silicon show some slowdowns on performance, and it expected that "most users" running Windows 7 and Windows 8 on older silicon will experience a decrease in performance.

9 January – IBM allegedly struggles to patch Meltdown and Spectre
iStock

9 January – IBM allegedly struggles to patch Meltdown and Spectre

The Registerclaims to have seen documents from IBM that show the company struggled to create internal processes to fix the flaws.

"Internal documents seen by the Register reveal that Big Blue has ordered staff not to attempt any Meltdown/Spectre patches, but that the advice to do nothing is incorrect and needs to be changed," the Register writes. "The documents also reveal that IBM is urging its people to stick to a script and use a pre-approved presentation when discussing Meltdown/Spectre remediation with customers."

But apparently those documents were not completed or approved at the time of publication.

9 January – ARM says five percent of its designs are affected

9 January – ARM says five percent of its designs are affected

Chip design business ARM stated it expects five percent of all of its 120 billion chips manufactured since 1991 are impacted by Spectre, while the number for Meltdown will be less.

“ARM will address Spectre in future processors but there will need to be an ongoing discipline in the design of secure systems which needs to be addressed through both software and hardware,” ARM said in a statement to Reuters.

9 January – Microsoft puts Meltdown and Spectre AMD patches on ice

9 January – Microsoft puts Meltdown and Spectre AMD patches on ice

Microsoft halted security patches for older AMD machines after users reported that their PCs had stopped booting.

A Microsoft spokesperson told the Verge: “Microsoft has reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates. After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

AMD confirmed it was aware of the problem, and that the two companies were working together to resolve the issue.

10 January – Google lists Chromebooks affected by Meltdown
iStock

10 January – Google lists Chromebooks affected by Meltdown

Android Policediscovered that Google had published a table on the Chromium Wiki that details all available Chromebooks and how they are impacted by Meltdown, if at all. Most are protected, but older Chromebooks that no longer receive updates will not be patched.

Copyright © 2018 IDG Communications, Inc.