We knew the vulnerabilities are on many CPUs, including those from AMD, ARM and Intel, and now Nvidia has revealed its GPUs have been hit
A serious design flaw reportedly present in all Intel’s CPUs made in the past ten years is leaving devices vulnerable to hackers, requiring an operating system (OS) update in order to fix it.
The so-called Meltdown flaw allegedly affects all systems running Intel x86 chips and is present across all popular operating systems, including Windows, Linux and macOS. It was thought a second flaw, dubbed Spectre, was only affecting Intel, AMD and ARM cores, but now it seems Nvidia has joined the list, showing how the flaw extends to GPUs.
Nvidia revealed that its GeForce, Quadro, NVS, Tesla and GRID chips are seemingly protected against Meltdown, but they are at risk from at least one of the variants of the Spectre bug, and could be “potentially” affected by Spectre’s second variant.
To solve the issue, Nvidia is updating relevant drivers to at least tackle the known vulnerability. A future update is expected to tackle the other. GeForce, Quadro, NVS driver updates are ready now, or will be very shortly. Tesla and GRID updates will be coming by the end of the month. In particular, the Tesla update is expected week of 22 January and GRID customers are simply being given the timeframe before the end of January 2018. More technical details can be found here.
During his keynote speech at CES 2018, Intel’s CEO Brian Krzanich committed to fixing all affected processors by the end of January, building on claims 90% would be sorted by the end of this week.
Following disclosure of the flaws, Intel was hit with at least three class-action lawsuits by plaintiffs in California, Oregon and Indiana. The plaintiffs are seeking compensation and all three criticise Intel for not disclosing the flaws earlier, despite being told by security researchers about them in June. Intel said it doesn’t comment on ongoing legal issues.
Intel, among others, have been heavily criticised, however, for the fact many of the fixes issued by manufacturers and software developers have been slowing devices down.
“We believe the performance impact of these updates is highly workload dependent,” Krzanich said. “We expect some may have a larger impact than others, so we’ll continue working with the industry to minimise the impact on those workloads over time.”
Yet Microsoft took things a step further. After the update reportedly begain bricking machines running AMD chips – in particular, AMD and Microsoft customers were getting the blue screen of death and unable to get past the splash screen in Windows 10 after the patch was applied – Microsoft is pausing the rolling out of updates until it can solve the problem.
In a statement, the company said: “Microsoft has had reports of customers with some AMD devices getting into an unbootable state after installing recent Windows operating system security updates. To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause sending the following Windows operating system updates to devices with impacted AMD processors at this time.”
It also seemingly passed the buck for the problem back to AMD, claiming that some AMD chipsets do not “conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”
Apple recently confirmed that all iOS devices are at risk from attack; all iPhones and iPads are affected by both Meltdown and Spectre. Apple Watch is only affected by Spectre. Apple was quick to stress that “there are no known exploits impacting customers at this time” and has already issued fixes for the flaws as part of iOS 11.2.2.
In particular, iOS 11.2, MacOS 10.13.2 and tvOS 11.2 will protect the devices against Meltdown and iOS 11.2.2 will offer a fix for the rest of the vulnerabilities. Apple said it now plans to release fixes for its Safari browser “over the coming days” to help defend against Spectre.
This comes at a time when Apple is facing fierce criticism over claims it deliberately slowed down older iPhones.
Meltdown and Spectre
A security blog post from Google researchers explains that its Project Zero team found serious security flaws in Intel, AMD and ARM chips caused by “speculative execution” – a technique used by most modern processors (CPUs) to optimise performance – last year.
Project Zero researcher Jann Horn showed that hackers could take advantage of this flaw to read system memory that should be out of bounds. For example, they could use the bug to read passwords, encryption keys or private data in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine.
“These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them,” the blog continued.
As soon as Google learned of the attack, it said it updated its systems and affected products. It also began working with hardware and software manufacturers to help protect their users and the web.
The biggest issue, beside the security vulnerability, though is that fixing the flaw will cause “significant declines in performance for the affected machines”. This means your computer or phone could become as much as 30% slower in the pursuit of being safer.
Google has published a technical breakdown. Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday.