Dubbed "Meltdown" (melts security boundaries which are normally enforced by the hardware) and "Spectre" (root cause: speculative execution), flaws have been discovered that affect the security of Intel, AMD, and ARM-based chipset architectures going back decades.
Apple has apparently already started patching macOS. Here's what you need to know.
Why is this all so confusing?
Good question! Chipset vendors like Intel, AMD, and ARM, and platform-makers including Apple, Microsoft, and the Linux Foundation, were apparently working under a mutually agreed-upon embargo.
Updates made to Linux, however, were spotted and eventually picked up by news outlets, including The Register.
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.
Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.
Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.
That led to some initial information but only partial information and a lot of uncertainty.
But it's not just Intel, correct?
Correct. And the early focus on Intel likely prompted the company to get its statement out first, ahead of everyone else:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Apple has apparently already fixed the flaw in macOS High Sierra, while seemingly avoiding significant performance degradation.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63— Alex Ionescu (@aionescu) January 3, 2018
We'll need to wait for official word from Apple on the details.
Is AMD really affected, though — reports seem to disagree?
So. Much. Confusion. An AMD engineer, before the embargo lifted, claimed AMD wasn't affected.
AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
AMD also told Fortune the risk was "near zero":
"Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time," the company said in a statement. "We expect the security research to be published later today and will provide further updates at that time."
Theoretically, at least, no modern processor architecture is immune.
Apple currently doesn't use CPUs made by AMD in any of its products, only GPUs, so, regardless of how this part shakes out, it won't have any affect on Mac users.
What about ARM? Apple uses ARM chips in iPhone, iPad, and Apple TV, right?
Right. Apple originally licensed ARM designs. Starting with iPhone 5s, Apple switched to licensing the ARM v8 instruction set, which let Apple make its own, custom CPU.
ARM has issued the following statement, saying the majority of its processors are not affected:
Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.
Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed and not based on a flaw or bug. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.
It is important to note that this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.
The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism. A definitive list of the small subset of Arm-designed processors that are susceptible can be found below.
Apple's going to have to let us know which, if any, of its ARM-based processors are affected.
So, what are Meltdown and Spectre exactly?
There are flaws in many modern chipsets that allow speculative references to probe privileged data. Google disclosed that it's Project Zero team discovered the flaws, now being called Meltdown and Spectre.
From Google:
Last year, Google's Project Zero team discovered serious security flaws caused by "speculative execution," a technique used by most modern processors (CPUs) to optimize performance.
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running them.
Project Zero has more information on the flaws.
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].
So far, there are three known variants of the issue:
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
Is it time to panic and burn it all down?
Not yet. Operating systems are being patched. Details are emerging. We're learning about the flaws and about the responses to them.
For now, stay informed and stay updated. As the patches come out both now and in the future, download and install them.
No code is perfect. There will always be bugs. Some of them will seem gobsmackingly stupid. What matters is how quickly and well vendors respond to them.
In this case, some squabbling between Intel and AMD aside, it looks like everyone is responding as well as possible for as many customers as possible.
Stay tuned for more.
Update: This article is being updated continuously as the story develops: Statement from Intel added; statement from ARM added. Statement from Google added.