Apple is the latest vendor to release patches for the critical CPU flaws as Intel continues its own patching efforts.
Intel CEO Brian Krzanich used the opening of his Consumer Electronics Show (CES) keynote on Jan. 8 to publicly comment on the recently disclosed Meltdown and Spectre security vulnerabilities.
Jan. 9 was originally intended to be the day that the Meltdown and Spectre CPU flaws were first publicly disclosed, but that didn’t happen as media speculation led to the Jan. 3 disclosure of the critical flaws that impact the majority of the world’s CPUs.
„The collaboration among so many companies to address this industry-wide issue across several different processor architectures has been truly remarkable,“ Krzanich said during his keynote. „Security is job number one for Intel and our industry, so, the primary focus of our decisions and our discussions have been to keep our customer’s data safe. “
The Meltdown vulnerability largely impacts Intel CPUs, while the Spectre flaw has broad impact across multiple types of vendor CPUs including AMD and ARM. The flaws could potentially enable an attacker to read items from a system’s memory, that could lead to private information disclosure.
„As of now, we have not received any information that these exploits have been used to obtain customer data and we are working tirelessly on these issues to ensure it stays that way,“ Krzanich said. „The best thing you can do to make sure your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available.“
Intel has been busy over the past week making firmware updates available, with Krzanich commenting that over 90 percent of Intel processors will have an update available by the end of the week, with the remainder by the end of January.
Apple
In addition to Intel firmware updates, the Meltdown and Spectre flaws also generally require operating system updates as well. Microsoft publicly released its patches on Jan. 3, though the patches have reportedly been causing trouble for some PC owners with AMD processors.
Apple’s operating system are also impacted by the CPU flaws and the company quietly provided some mitigation for Meltdown in its macOS High Sierra 10.13.1 and iOS 11.0.1 updates, but had not addressed the Spectre issue. On Jan. 8 Apple released the macOS High Sierra 10.13.2, Safari 11.0.2 and iOS 11.0.2 updates to address the Spectre vulnerabilities formally identified as CVE-2017-5753 and CVE-2017-5715.
With Spectre, there was a risk that an attacker could potentially read system memory via a web browser. As such, Apple has now integrated changes into the WebKit rendering engine used in macOS and iOS to help mitigate the Spectre risk.
Detection Efforts
While operating system vendors are rolling out updates to provide risk mitigation, security vendors have been busy building different detection mechanisms to identify possible Meltdown or Spectre attacks.
Among the vendors that have publicly released Meltdown and Spectre detection software is container security vendor Capsule 8. On Jan. 9 the security startup released an open-source Spectre detector, that is able to help detect cache side channel attacks.
„A common element to all of the published attacks for all three vulnerability variants of these attacks so far has been the use of cache timing attacks to leak the read speculatively read data to the attacker,“ Capsule 8 stated in a blog post.
Performance Impact
One of the side effects of the Meltdown and Spectre patches is that the mitigations provided by Intel and operating system vendors have an impact on system performance that can be as high as 30 percent. Among the organizations that have publicly complained about the Meltdown patches impacting performance is Epic Games, which blamed a slowdown of its online gaming platform on the patches. Intel however is downplaying the performance issues related to the patches.
„We believe the performance impact of these updates is highly workload-dependent,“ Krzanich said during his CES keynotes. „As a result, we expect some workloads may have a larger impact than others, so we will continue working with the industry to minimize the impact on those workloads over time.“
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
