By Patrick Gebhardt • Jun 15, 2018

Spectre/Meltdown: Long Time No Read

It is time again to talk about the most prominent security vulnerabilities of 2018, whose horror at the beginning of the year haunted the Internet, only to turn out to not be so horrible afterwards. In the end it's something that can be reported on, but which will not lead to the end of the world. Here are some facts about Spectre & Meltdown, covering everything that has been going on since our last article. But first, a brief etymological digression.

Spooky...

Spectre and Meltdown: two wonderful, spooky names, right? If only you knew what mind came up with this. No, actually, we do. It was this guy. Meltdown owes its name to the fact that it - and I quote – basically “melts” the border between programs and the operating system. Plus: “a (nuclear) meltdown usually comes with some form of leakage. It sounds really devastating, with a huge impact, like an actual meltdown in a nuclear reactor.” Well, okay... Spectre was named after similar considerations that might be congruent with those of James Bond scriptwriters. However, the two security gaps have a rather boring plot.

Things Aren't Really Getting Slow

Shortly after the vulnerability became known, various media reports speculated about the possible performance losses due to patches to fix the vulnerabilities. After the patches have been applied, some systems were expected to calculate 30 percent slower than before and the CPU load could even increase by up to 60 percent.

However, with the necessary time lag, it becomes apparent that this information is excessively exaggerated and the actual loss of performance caused by the patches is considerably less than initially assumed. The results of the values mentioned at the beginning are also sometimes very questionable, as some benchmarks in particular cause special problems when testing the patches. This in turn is due to the special nature of the security gaps and the strategies for eliminating them, so that the synthetic benchmarks reveal very little about realistic application scenarios in some cases.

The Linux distributor Suse even goes so far as to refrain from publishing its benchmark results and refers to the many imponderables and affected components in the interaction of hardware and software as the reason for this.

Actually, There's Still a Loser...

... and it’s Intel. Despite the fact that the company has a pretty clever guy at the top. Intel’s CEO Brian Krzanich was quick enough to sell all but a minimum volume of his Linux shares, worth $24 million, in November 2017, long before the public became aware of the scale of the vulnerabilities.

Now, in Mid-2018 a total of eight NEW security holes in Intel CPUs have already been reported to the manufacturer by several teams of researchers, which are currently still being kept secret. All eight are essentially due to the same design problem; they are Spectre Next Generation, so to speak. Each of the eight vulnerabilities has its own number in the Common Vulnerability Enumerator (CVE) directory and each requires its own patches - they will probably all get their own names.

Overall, the gaps treated so far show that Spectre and Meltdown were not once-off slip-ups. It is not just a simple hole that could be plugged with a few patches. Rather, the image is more like a kind of Swiss cheese: for each sealed hole, two others appear. This is the result of the fact that in processor development over the last twenty years, safety considerations have only ever played second fiddle.

Relax and Keep Your OS Up to Date

People at Intel seem to be pretty busy for the rest of the year, and besides all the money Brian Krzanich got paid off, it's probably pretty tiring being Brian Krzanich nowadays. But that doesn't mean that you too should be stressed. Keep your operating system and your browser up to date. This is still the best approach to combatting the phenomenon of Meltdown and Spectre. Your PRTG installation will run as smoothly as always if you make sure your operating system has all the latest security patches installed.