Since the major processor-based Spectre and Meltdown vulnerabilities came to light earlier this month, technology companies have been working to develop and deploy patches across millions, if not billions, of devices. In the meantime, chipmakers Intel, ARM, and AMD face an uphill battle to minimize and contain the long-term damage created by the flaws in their processors.
While researchers who identified Spectre and Meltdown had warned that software patches could cause device performance hits of up to 30 percent, companies rolling out fixes are finding the impacts can vary widely. For example, Google yesterday reported that it had developed a "moonshot" mitigation for Spectre that has no material effect on the workload performance of its cloud customers.
In the meantime, Microsoft this week said it has "temporarily paused" patches for Windows customers running AMD processors after some users reported seeing the "blue screen of death" after the update was applied.
As work continues on short-term fixes, many experts agree the technology industry faces a wholesale reckoning of long-established practices that led to these vulnerabilities in the first place. For instance, cryptographer Paul Kocher told Scientific American this week that Meltdown and Spectre demonstrate a "failure of thought and attention" by chipmakers looking to balance security and performance needs. Kocher was one of the researchers who identified the Spectre vulnerability.
Heavy Fallout for Intel
Intel appears likely to see the greatest fallout from Spectre and Meltdown, as the latter vulnerability affects its processors most of all. Patches should be available for most of its chips made in the past five years, CEO Brian Krzanich said at the CES trade show in Las Vegas this week. He added that Intel is working with other companies to minimize the impact those patches will have on user workloads.
Meanwhile, Krzanich is under fire for having sold around $25 million worth of his personal Intel stock late last year before news about Spectre and Meltdown became public, according to the latest news reports. A securities litigation firm is now investigating that sale, and U.S. Senators Jack Reed (D, RI) and John Kennedy (R, Louisiana) have asked the U.S. Department of Justice and the Securities and Exchange Commission to do the same.
In an update yesterday, Intel executive vice president and Data Center Group general manager Navin Shenoy advised customers to continue applying recommended updates, while acknowledging that some users have had reboot problems after patching.
"We are working quickly with these customers to understand, diagnose and address this reboot issue," Shenoy said in his update. "If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue."
ARM noted last week that the majority of its processors are not affected by Spectre and Meltdown, but the company also provided mitigation actions for those that are.
In an update yesterday, AMD said that patches are now rolling out for many of its affected processors, and that it is working closely with Microsoft to address the patch problems in some of its older systems. "We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week," AMD said.
Symptom of Larger Industry Problem
All services on the Google Cloud Platform had been patched for Spectre and Meltdown by December, Google vice president of engineering Ben Treynor Sloss said in a blog post yesterday.
"This set of vulnerabilities was perhaps the most challenging and hardest to fix in a decade, requiring changes to many layers of the software stack," Sloss said. "It also required broad industry collaboration since the scope of the vulnerabilities was so widespread."
On Tuesday, Apple said it has released iOS and macOS mitigations for both Spectre and Meltdown, in addition to tvOS fixes for Meltdown. The company added that neither vulnerability has affected watchOS for the Apple Watch.
Two of Microsoft's patches for Spectre and Meltdown have resulted in "minimal performance impact" on user devices, while a second fix for Spectre did produce varying effects on performance, with the impacts most noticeable on older devices, Terry Myerson, executive vice president of the Windows and Devices Group, said in a blog post Tuesday.
In a Scientific American interview published Tuesday, Kocher said such bugs are a symptom of a larger industry problem with ensuring IT security.
"When you optimize for objectives -- such as speed -- that interfere with security, you can reasonably expect that you're going to end up with problems," he said. "Spectre is a very clean example of a security/performance trade-off, where speed optimizations led directly to security problems. The fact that these security vulnerabilities affect all of the major microprocessor manufacturers really indicates that there has been a failure of thought and attention, rather than specific error that an individual or even a single company has made."