We’re nearly a month since The Register first revealed that every single major processor in devices today is subject to a series of harrowing security vulnerabilities known as Spectre and Meltdown. Today, in light of news that Intel informed foreign interests of the vulnerabilities before the US government, and that Microsoft is pulling its latest patch from Intel due to some heinous bugs, we thought we’d revisit the saga and what you can (and cannot) do to protect your data.
On January 2nd, The Register revealed that Intel CPUs were subject to serious security vulnerabilities and that the causes of those vulnerabilities were rooted in features of the CPUs that were fundamental to their performance. It quickly became clear that Intel wasn’t the only CPU maker in trouble. Every modern CPU uses the same technique to improve speed and was thus vulnerable to Spectre. That means your iPhone, or your AMD laptop, or the cloud server that Google stores your Gmail on. Intel is particularly vulnerable because of its ubiquity. Its CPUs are found in most major laptops and desktops, and it has 99 percent of the server marketshare, according to Vijay Rakesh, a securities analyst at Mizuho Securities, in a conversation with CNBC. That means nearly every single server that hosts your data in the cloud is powered by Intel.
But besides Spectre, Intel is also subject to a second vulnerability that its competitors say does not affect them. That’s Meltdown. This means that Intel processors are both more vulnerable and more common. It’s a recipe for disaster that’s compounded by the fact that, as The Register noted, a solution to the vulnerabilities would necessitate slowing down the processors. So you’d get your fix, but you’d be crunching data a lot slower than before the patch.
Things became more dire when, on January 3rd, we learned that Intel CEO Brian Krzanich had sold millions of dollars of Intel stock around the same time he would have become personally aware of the vulnerability. While many have called for Krzanich’s removal, the CEO has denied any wrongdoing and an Intel spokesperson told Gizmodo the sale was “unrelated” to the vulnerabilities. Unrelated or not it was a bad look for the CEO of a company at the heart of one of the biggest computer security stories in modern history.
Then Intel was hit with the first of what will likely be many class action lawsuits. By January 4th, class actions had been filed in California, Oregon, and Indiana.
But after CES, where Intel lost the PR battle to AMD, Intel announced that 90 percent of affected processors had live patches. That was great news, especially as it arrived the same day as rumors of even more vulnerabilities.
But the news wasn’t as good as Intel, or owners of affected processors, might have hoped. First, the patches do slow down computers. Intel claimed in one benchmark it saw performance drop by as much as 25 percent. The second problem was more unexpected—a bug in many of the patches that leads to processors booting more often than they should, often times abruptly. It was only just last week that Intel announced it had found a solution to the reboot problem... but only for some older processors.
And that brings us to this fine morning, when, as The Verge notes, Microsoft finally started pulling its Meltdown and Spectre patches, presumably because they’re causing computers to unexpectedly restart, and because Intel last week asked that operating systems and OEMs pull the patch. It’s great that it took Microsoft a week to finally follow through with Intel’s recommendation that “OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions.”
In addition to one of the largest operating system makers finally pulling buggy patches, the Wall Street Journal reported that Intel may have disclosed the vulnerabilities to foreign computer makers before it disclosed them to the US government. WSJ reports that Intel notified partners including Google (Google’s Project Zero security researchers originally helped discover the vulnerabilities back in June 2017), Amazon, Microsoft, and the Chinese firms Lenovo and Alibaba, far ahead of smaller companies and the US government.
On one hand, this makes some sense. Lenovo is the second-largest PC maker, and Google, Amazon, Microsoft, and Alibaba collectively command a huge portion of the servers used for cloud storage and processing. Letting these companies know about the vulnerability so they could work on solutions before it is made public is ostensibly a good thing. The companies can, ideally, get ahead of any attacks and iron out any significant bugs in their patches.
But The Register’s report came months ahead of Intel’s planned announcement, which means smaller partners and government agencies had to find out about the problem from the news—not from Intel itself. “We’re scrambling,” Bryan Cantrill, CTO of Joyent Inc, a smaller cloud services provider, told WSJ. “We certainly would have liked to have been notified of this,” a spokesperson for the Department of Homeland Security told WSJ.
Of course, that’s because the Chinese government, could, potentially, have learned about the vulnerabilities prior to the US government and possibly utilized those vulnerabilities for its own gains.
While the Chinese government declined to comment, an Alibaba spokesperson told WSJ the suggestion that it shared the information about the vulnerabilities with Beijing was “speculative and baseless.” Lenovo, meanwhile, insisted any information from Intel was protected by a non-disclosure agreement. And we have to admit that the idea that China is using successful tech businesses to spy on the US feels xenophobic, particularly after the US government repeatedly postulated these theories (with zero evidence). Recent examples include Huawei’s deal to sell phones on the T-Mobile network being squashed earlier this month after complaints from Congress, and Homeland Security last year accusing DJI of using its drones’ cameras to spy on US citizens.
Whether the vulnerabilities in Intel’s chips were used by foreign agents to spy on US citizens months ahead of the US government’s awareness of the vulnerability remains to be seen. It’s been a week since Intel announced any significant stride in repairing the bugs to its patches and releasing new fixes, so we’re still, unfortunately, in the very early days of this problem.
For now, you’ll have to remain particularly diligent about abiding by best security practices. Don’t click on suspicious links or install software that hasn’t been safely sourced. If you do implement updates from your computer maker or operating system provider, be forewarned that it could slow down your computer or lead to sporadic reboots. Continue to update cautiously and wait for those eventual CPUs that will be completely Spectre- and Meltdown-proof.