January 17, 2018

Major CPU Security Flaw: What Libraries Need to Know

Spectre and Meltdown CPU security flawsIntel Corporation this week acknowledged two serious, processor-level security vulnerabilities—named “Meltdown” and “Spectre”—that affect virtually all computers manufactured during the past decade that contain the company’s market-leading CPUs. Processors manufactured by ARM and AMD may also be affected by Spectre, reportedly the more difficult flaw to exploit.

Operating system (OS) developers, who have been aware of the vulnerabilities for several months, are pushing out security updates or including fixes in the latest versions of their OS to mitigate the flaw and urging individual and institutional users, such as libraries, to apply the patches or ensure their machines have been recently updated.

The vulnerabilities were patched for Linux in December, and a “major Linux redesign” is underway to further deal with the problem, according to reporting by ZDNet. Apple has reported that the issue was addressed in macOS High Sierra 10.13.2, also released last month. Windows 7, 8, and 10 users can apply updates released January 3 via Windows Update. Those updates also include fixes for Microsoft’s Edge and Internet Explorer 11 browsers.

Mozilla has reported that the latest version of its Firefox browser (Firefox 57 / Quantum) includes a fix, and longer-term solutions are being researched.

Google is advising users of the Chrome browser to consider enabling the browser’s experimental site isolation security mode (enter chrome://flags/#enable-site-per-process in the Chrome address bar). A permanent fix for the browser is scheduled for rollout with Chrome 64, on January 23, with additional mitigations planned for future versions.

Impact on Chrome, Android, cloud

The flaws were independently discovered by Google’s Project Zero security team, researchers at the Technical University of Graz in Austria, and Cerberus Security.

“The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications,” Project Zero explained in a blog post on January 3. “These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.”

Google has posted a list of its products and their current status of mitigation against the flaws. Chromebooks and other devices with the Chrome OS were patched with version 63, released in December, although the company notes that many older Chrome OS devices are no longer receiving updates.

Users of Android devices supported directly by Google, such as the Nexus 5X and 6P, or Pixel C, XL, and 2/XL are protected by the monthly January update. Google released security patch changes to Android partners in December, and Android users are urged to update their devices as patches are released by other manufacturers, likely this month.

Google has updated the infrastructure of its Google Cloud Platform, although institutional users of Google Cloud Dataflow, Datalab, Dataproc, Launcher, Machine Learning Engine, Compute Engine, and Kubernetes Engine will need to take additional action to patch and update guest environments.

Amazon Web Services and Microsoft Azure issued statements that their cloud infrastructure had been updated as well, along with additional instructions for customers.

Firmware updates, slowdowns

The patches and updates listed above are software fixes that mitigate a hardware problem. To ensure system security, users and institutions will need to apply firmware updates to make systems immune to exploits made possible by the flaws. On January 4, Intel announced that it “has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.” However, users will have to be on the lookout for these firmware updates, which will be rolled out by manufacturers such as Dell, HP, Asus, Acer, and others in the coming weeks.

Unfortunately, the flaws, as detailed by Ars Technica, involve speculative execution, an optimization technique in which CPUs pre-emptively perform tasks that may or may not be needed by the system. Linux creator Linus Torvalds told ZDNet that fixing the problem may cause minor to significant degradation in performance, particularly for CPU-heavy tasks.

“There’s no one number,” Torvalds said. “It will depend on your hardware and on your load. I think five percent for a load with a noticeable kernel component (e.g. a database) is roughly in the right ballpark. But if you do micro-benchmarks that really try to stress it, you might see double-digit performance degradation.”

It should be noted that these fixes are in their early stages. Later iterations of security patches and firmware updates will help move CPU performance toward prior levels.

Intel stated that the company “continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”

Matt Enis About Matt Enis

Matt Enis (menis@mediasourceinc.com; @matthewenis on Twitter) is Senior Editor, Technology for Library Journal.

Share
Comment Policy:
  1. Be respectful, and do not attack the author, people mentioned in the article, or other commenters. Take on the idea, not the messenger.
  2. Don't use obscene, profane, or vulgar language.
  3. Stay on point. Comments that stray from the topic at hand may be deleted.
  4. Comments may be republished in print, online, or other forms of media, per our Terms of Use.

We are not able to monitor every comment that comes through (though some comments with links to multiple URLs are held for spam-check moderation by the system). If you see something objectionable, please let us know. Once a comment has been flagged, a staff member will investigate.

We accept clean XHTML in comments, but don't overdo it and please limit the number of links submitted in your comment. For more info, see the full Terms of Use.

Speak Your Mind

*