Tweet
Academic and Google-associated researchers just released two vulnerabilities, Spectre and Meltdown.They exploit performance features of modern processors to read arbitrary memory*. When exploited, malicious code using this vulnerability read _everything_ the processor has access to. For instance, protected health information on an EMR server. And cloud services are especially vulnerable.
As customary with major exploits, many affected operating system developers were notified ahead of time**, and had a chance to develop patches. Those patches probably fix the vulnerability, but at a major cost to processor performance. Epic Games just posted these CPU utilization graphs showing a major drop in processor performance.
So, basically, some systems still aren't patched, and the patched ones will all get slower. That makes processing costs as a whole more expensive. High-CPU services like gaming servers are being hit hard.
* Most modern processors include branch prediction and speculation. Basically, most modern processors have multiple "pipelines" to execute instructions, and programs run faster when the pipelines are all being used. When those pipelines aren't all being used, newer processors run instructions that may never be needed, called "speculation". This lets an attacker write instructions that should never be run (because of security checks, for instance), but the processor executes anyway in the name of performance. Combined with caching, this let's an attacker read any and all data currently in memory.
**An "embargo" was placed on releasing patches, as is typical when major exploits are discovered. So, some privledged OSs were notified ahead of time, and got to develop patches that were just released with the announcement of the exploits. The patches couldn't be released until the announcement (the embargo) because releasing a patch announces the vulnerability before other major OS. Notably, not all OSs were notified, and the BSD developers were caught off guard. All BSD systems are vulnerable as of right now.
As customary with major exploits, many affected operating system developers were notified ahead of time**, and had a chance to develop patches. Those patches probably fix the vulnerability, but at a major cost to processor performance. Epic Games just posted these CPU utilization graphs showing a major drop in processor performance.
So, basically, some systems still aren't patched, and the patched ones will all get slower. That makes processing costs as a whole more expensive. High-CPU services like gaming servers are being hit hard.
* Most modern processors include branch prediction and speculation. Basically, most modern processors have multiple "pipelines" to execute instructions, and programs run faster when the pipelines are all being used. When those pipelines aren't all being used, newer processors run instructions that may never be needed, called "speculation". This lets an attacker write instructions that should never be run (because of security checks, for instance), but the processor executes anyway in the name of performance. Combined with caching, this let's an attacker read any and all data currently in memory.
**An "embargo" was placed on releasing patches, as is typical when major exploits are discovered. So, some privledged OSs were notified ahead of time, and got to develop patches that were just released with the announcement of the exploits. The patches couldn't be released until the announcement (the embargo) because releasing a patch announces the vulnerability before other major OS. Notably, not all OSs were notified, and the BSD developers were caught off guard. All BSD systems are vulnerable as of right now.
Comment