Google to the rescue!

First, Google's Project Zero researchers found the CPU-level security vulnerabilities known as Meltdown and Spectre. Now, they've found the cure... or, at least, a more efficient workaround, as reported in The Verge:

Google just gave chipmakers some much needed good news. In a post on the company’s Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called ReptOnline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.

“There has been speculation that the deployment of KPTI causes significant performance slowdowns,” the post reads, referring to the company’s “Kernel Page Table Isolation” technique. “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

[...]

That assessment is consistent with early reports from Intel, which had said slowdowns would be “highly workload-dependent and, for the average computer user, should not be significant.” Those claims were met with skepticism, with many seeing them as an effort by Intel to downplay the impact of the newly public vulnerabilities. At the same time, some early benchmarks saw slowdowns as high as 17 percent.

More recently, Intel announced it had deployed patches that would render chips immune to the new attacks, and restated that the performance impact was not significant. It’s difficult to confirm Google and Intel’s claims until the patches are deployed, but it’s significant that Google has joined the chipmaker in reporting minimal slowdowns.

As someone who met Intel's early minimal-impact claims with skepticism, I can honestly say to all Core i5 users that I'm glad to learn that the picture is looking less grim than first thought. I'm still glad to be an AMD man, though, and even more glad that Google were awake at the switch for this one. People give Google a lot of grief for sometimes acting like they've forgotten their original mission statement, but this, folks, is what they meant by "don't be evil." Not only were they not evil, they used their powers for good, and are extending help to anyone who needs it, for free.

Intel, meanwhile, is claiming to have finished patches for 90% of their products released in the past five years, which sounds a little weaksauce considering that Meltdown affects Intel products released in the last ten years, much like the firmware issue that was reported a few months ago. And there's also the small matter of Intel, who were notified about Meltdown and Spectre back in June, being led by a CEO who sold off a bunch of stock in October, before either flaw became public knowledge, as reported by MP1st, among others:

Suspiciously, Intel CEO Brian Krzanich sold off $24 million worth of stock late last year before the vulnerabilities became public knowledge. An Intel spokesperson said the stock trade was “unrelated” despite Intel knowing about the issue for five months.

Oops! I predict that the SEC will be investigating that piece of business.

Intel's stock price has, naturally, dropped as a result of all this news, while AMD's has risen, but I suspect that Intel's problems over these problems are only beginning.

UPDATE:

One minor correction: While Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently, it looks like credit for discovering Meltdown actually goes to an independent researcher named Daniel Grus, whose feat of security research is described in this article by The Verge:

The 31-year-old information security researcher and post-doctoral fellow at Austria’s Graz Technical University had just breached the inner sanctum of his computer’s central processing unit (CPU) and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor’s ‘kernel’ memory, which is meant to be inaccessible to users, was only theoretically possible.

“When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked,” Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.

Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.

“We sat for hours in disbelief until we eliminated any possibility that this result was wrong,” said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as “one of the worst CPU bugs ever found”.

Damn, Daniel! (Sorry, I couldn't resist.) Seriously, though, congratulations to Mr. Gruss for some solid detective work.

UPDATE #2:

Cue the lawsuits! As reported by Gizmodo:

It’s been just two days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability, and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.

The Register first reported the news on January 2nd, noting that the solution to fixing the vulnerability could result in slowdown of the affected computers. Intel has since claimed that any performance penalties would be negligible, and today Google, which has implemented a fix on its affected servers (which host its cloud services, including Gmail) wrote that, “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

Plaintiffs in three different states disagree. As Law.com first noted, a class action complaint was filed January 3rd in United States District Court for the Northern District of California. Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart)—one in the District of Oregon and another in the Southern District of Indiana.

All three complaints cite the security vulnerability as well as Intel’s failure to disclose it in a timely fashion.

That's some fast work, and I have a feeling that there are more to come.

Comparing bowling balls to oranges

Earlier this month, security researchers at Google's Project Zero grabbed some attention when they called out Microsoft for leaving vulnerabilities unpatched in Windows 7 and 8.1 long after those vulnerabilities had been patched in Windows 10. This, GPZ's researchers argued, was bad practice, creating extra risks for Microsoft's customers on those older platforms... especially problematic for Windows 7, of course, since it still holds 47.21% of the desktop OS market.

This is not a new thing for Google, of course, who have been disclosing unpatched and actively-exploited vulnerabilities since 2013, in an attempt to goad Microsoft into patching some of them. This was the whole point of Project Zero - the vulnerabilities at issue were already actively being attacked, and the companies who should be plugging these security holes were dragging their feet on fixing them.

Microsoft's products, being in widespread use, were often targets of these attacks, and Microsoft have often been slow to patch them, which has led to Google's team embarrassing Microsoft over and over again, for four long years, on the subject of their products' security. Well, Microsoft appears to have decided that it's time for some tit-for-tat payback, of the absolutely pettiest sort, and are now going out of their way to embarrass Google over vulnerabilities in Chrome... which Google had already quite responsibly patched shortly after being privately notified of them, and without needing to be publicly shamed into doing so. Something that Microsoft currently aren't doing.

From Paul Thurrott:

“Security is now a strong differentiator in picking the right browser,” a post on the Microsoft Security Response Center begins.

Yikes.

Worse, Microsoft didn’t randomly discover a flaw in Chrome, alert Google, and then wait some period of time before disclosing it publicly. Instead, it specifically started a project to “examine Google’s Chrome web browser” for security problems. And it found some. Alerted Google. And then disclosed it publicly, after taking careful note of how long Google took to fix them. In short, Microsoft just wanted some revenge on Google.

To compare what Microsoft just did (attempting to embarrass Google for having responsibly patched a product in a timely manner after being alerted of a weakness) to what Google did two weeks ago (attempting to embarrass Microsoft into patching vulnerabilities in Windows 7 and 8.1 that they'd already patched in Windows 10, but inexplicably left open to attack for 53.1% of desktop PC users) is to compare bowling balls to oranges. The two things might both be round, but that is where the similarities end.

Microsoft's lax approach to security for Windows 7 and 8.1 users, i.e. most Windows users, is bad practice, and makes those users less safe. Google only started calling them out on this sort of shit, four years ago, because it was the only way to goad them into sluggish action where a quick response was clearly called for. The vulnerabilities that GPZ was calling Microsoft out for, two weeks ago, are still not patched, unless I've missed something.

For Microsoft to research security problem in Chrome is fine; most Windows users also use Chrome, so alerting Google of potential vulnerabilities keep Microsoft's customers safer, assuming that Google can issue patches in the timely fashion, which they did. For Microsoft to turn around and try to embarrass Google for responsible behaviour, however, behaviour in which Microsoft themselves do not engage, all in an attempt to push users from Chrome to Edge by baseless scare-mongering, is reprehensible.

Microsoft haven't just surrendered the high ground here; they've wallowed in the filth, and accomplished nothing in the process except to make themselves look desperate.

Most secure Windows evah...

Do you remember Microsoft telling everybody that they needed to upgrade to Windows 10 as soon as possible, because security? Do you remember them saying, over and over again, that Windows 10 was the most secure OS ever made, and that Windows 7 was a leaky sieve by comparison? Well, about that, here's the thing, funny story... it's bullshit. Surprise!

From Express.co.uk:

Windows users are being urged to update their PCs immediately after a serious vulnerability was discovered over the weekend.

The shocking flaw in this popular operating system was found by researchers working for Google's Project Zero cyber-security operation with them calling it is the worst Windows remote code in recent memory.

The bug could allow hackers to take over any PC simply by sending an infected email, instant message or by getting the user to click on a link in their web browser.

Tavis Ormandy, a vulnerability researcher at Google who discovered the bug, said in a tweet "This is crazy bad."

To show how serious the problem is, Microsoft has immediately pushed out a major security update which is available to all users now.

[...]

Anyone using Windows 8, 8.1, 10 and Windows Server operating systems are affected by the bug and should now check for the security update.

Yes, that's right, this "crazy bad" vulnerability has been part of Windows since Windows 8, and is only being found and patched now. In other news, it seems that Windows 8 and Windows 10 really are the same operating system, just with different UIs. Still on Windows 7? No worries, brah, you're still good.

On the plus side, Microsoft did work quite quickly to patch this one, something which Mr. Ormandy praised them for, but that doesn't alter the basic fact that 1) there is no such thing as perfect security, and 2) even if there were such a thing, Windows 10 is not that thing.