MELTDOWN-SPECTRE: THE MESS CONTINUES

Be the first to get exclusive PPR articles like this in your inbox!

The fallout from the Meltdown and Spectre CPU bugs rolls on. There’s a lot of reading on this topic, but here are some of the bullets you need to know:

  • According to one experienced tester, the Meltdown patches “introduce the largest kernel performance regressions I’ve ever seen.”
  • The early patches might be causing more harm than good … and it’s not just the performance hit. As noted by Security Week, “Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently.” Major software vendors including Microsoft stopped the patches due to instability.
  • Attacks can be exploited by JavaScript in a Web browser … and proof-of-concepts are already floating around in the wild, according to ZDNet.
  • Intel is coming out with a new set of patches that supposedly avoid the reboots and other problems noted earlier. But considering Intel’s history of attempting to spin its way out of this PR mess and releasing half-baked fixes, I would take the news with a grain of salt.
  • Long-term, the entire world has a big security problem on its hand that won’t be fixed until silicon platforms are rearchitected AND older systems are patched or replaced. This could take years.

If you’re trying to play catch-up with these flaws, the best to start is on this page created by security researchers, which includes links to advisories and patches put out by major vendors.

This is an excerpt from a previous edition of the Priority Payload Report (PPR) newsletter. To get exclusive news, analysis, and interviews from PPR every other week, sign up for the PPR newsletter now! The first 30 days are free and you can cancel at any time for a pro-rated refund.