Unfortunately, the year 2018 starts with CPU hardware bugs of the century:
Meltdown & Spectre logo: CC0 Natascha Eibl
In IT security circles these CPU bugs are known as CVE-2017-5754 (Meltdown), CVE-2017-5753 (Spectre Variant 1) and CVE-2017-5715 (Spectre Variant 2).
What does this mean for the CPU users out there? Well:
- all Intel CPUs made since 1995 are affected of all of the three mentioned CPU hardware bugs
- some AMD CPUs are vulnerable to Spectre Variant 2, but not to Variant 1 & never to Meltdown
- IBM didn’t mention which PowerPC CPUs are affected. All systems running PowerPC7 and up will be patched in February. All CPUs below PowerPC7 should be vulnerable
- ARM CPUs are also affected. Unfortunately Qualcomm didn’t release a list yet which Snapdragon Smartphone CPUs are affected against what. Raspberry Pis aren’t affected
The bugs were known to Intel at least since summer 2017 thanks to the Google Project Zero Project. Another team from Austria, Graz, discovered the same bugs in November/December 2017. Between Intel and Google there was an agreement to keep the vulnerabilities secret. This secret was broken and made public by the British website “The Register” on the 2nd of January 2018. Most of the confirmations came from the programmers working on the Linux kernel, their communication is public. They had to work over the holidays and couldn’t enjoy Christmas and New Years Eve. Thus, the Linux kernel is not vulnerable to Meltdown anymore since kernel version 4.14.x since the first week of January 2018.
Concerning Spectre, both variants; currently it could be these fixes won’t work. There is a proposal from the Google team called RETPOLINE, but so far these didn’t make it into the Linux kernel nor into Windows updates or MacOS updates. The other proposal from Intel side was “straight bullshit” according to Linus Torvalds. From what is known today, Spectre will be an IT security problem for at least months to come. Due to the fact this is a hardware bug, it’s almost impossible to fix this from a software side. For real, the only workaround with which you’re safe right now is: change your CPU. Cheers!
Why should you bother?
The problem isn’t really the local machine you’re working with: Meltdown and especially Spectre are incredibly hard to exploit even for skilled hackers. The problem is what kind of data is residing on a server. Whether it be your Emails, your visited websites, your bank account details, your photos of your loved ones, your social media profiles; with the accurate technique all of this data can be stolen without a trace 100% from Intel machines. And according to recent statistics these CPUs run ~70% of the Internet today. All operating systems (Windows, MacOS, Linux, Android, iOS, etc.) are affected anyway. As mentioned before, this is a hardware bug. Usually, hardware bugs are in no way fixable with software patches.
To make things worse and to give you an example of bad morale and integrity, Intel CEO Brian Krzanich sold 250,000 shares of his Intel stocks at the end of 2017. He knew what would lie ahead for him and his rotten company but didn’t think a bit about his customers. This is truly the f***ed up world in which we’re living right now. We hope you can deal with these facts and keep on.
We’re active in the IT sector since 2000 but never experienced anything similar severe to these bad news. Of course we knew that Intel is ahead of the pack regarding bad design and bad behaviour regarding computer processors. What we didn’t know was that Intel didn’t change at all. Since the marketing campaign for the i3/5/7 processors anyone thought they learned from their mistakes. Apparently they didn’t. Which makes Intel probably the most dangerous company in the whole wide world.
Never forget to update your computer in 2018. Good luck to y’all!
the aethyx staff
“Over-specialisation means that there are more persistent vulnerabilities too. A deadly threat.” – “Ghost in the Shell”, Japan, 1995