Tech Update: Intel CPU Flaw Mitigations

All the recent noise about Intel processors having flaws boils down to two specific issues. The tech community has nicknamed them Meltdown and Spectre. Meltdown was not so very hard to deal with, which is a lucky thing, because it was the easier of the two for someone to exploit. Spectre was a flaw more deeply burned into the processor itself, and Intel was in panic mode trying to come up with a fix for it, despite how complicated it would have been to actually use. Sure, replacing all the CPUs would do it, but more expensive than anyone wants to think about. It would likely bankrupt Intel to go that route.

So along with the efforts to fix the Meltdown issue, everyone was trying to come up with ways to at least slow down Spectre. The big web browsers did their part with some changes because the easiest route of attack would be through them. Operating System makers shipped some more changes, as well. Microsoft is having to force the AV vendors to quit doing some tricks they used to do by getting their fingers too deep into the Windows kernel, so this is a big mess for the AV and other security software companies.

Ubuntu made the news because their first attempt to issue a fix broke things. That includes my new laptop. I had to learn how to tell the boot controller (called GRUB) to load the old kernel unless told otherwise. What the new kernel broke was suspend, hibernate and shutdown. None of them worked as they were supposed to, so I had to manually shut the system down so I could tweak it to run the old kernel. Eventually Ubuntu fixed the mess and issued yet another kernel update. All is well again.

Finally, Intel came up with something that could be loaded into the OS that mitigates things even further. Instead of having to update all the various BIOS and UEFI loaders built into the processor and motherboard, Intel has a way of loading certain kinds of fixes at boot time in a package they call “microcode.” This is something that talks directly to the CPU and changes its behavior. As soon as Intel made this available, the Linux developers grabbed it and included it as an option. This package of microcode is pretty complex, with a bunch of different stuff depending on which version of which Intel chip you have. Mine is called Kaby Lake, and it’s covered in this update which came out just today. So far as I know, for Windows you need to wait until Microsoft comes out with a special update for this, because it’s a little more complicated working it into that system.

While a lot of folks were fussing about how it appears these combined fixes would slow down how computers worked, wiser heads suggested that most consumers would never notice the difference. So far, I haven’t seen anything. This XPS you folks so generously helped me buy is still awfully fast. However, I’m reading that these fixes do seem to make a difference with a lot of servers, especially those used to run cloud computing services — which is just about every big tech company operation, among others. There’s a lot of background noise about having to buy a lot more hardware just to catch up to where they were, and next time it will be with AMD processors.

Since nobody has caught crackers using these two flaws, it remains to be seen if all these mitigation efforts will work. If it succeeds, nothing happens. If it fails, we won’t know until someone catches it in action. The Spectre problem in particular makes it possible to leave no trace, so that’s the one that has everyone really worried. But the fixes come with a certain amount of testing from hard-core security experts trying to use those flaws on running systems, and so far it looks like it’s working. Whew! The technology world dodged another one.

About Ed Hurst

Disabled Veteran, prophet of God's Laws, Bible History teacher, wannabe writer, volunteer computer technician, cyclist, Social Science researcher
This entry was posted in computers. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s