How Big Tech has left you in the dark about massive CPU flaws

Rob Pegoraro
·Contributing Editor

The of deep-seated processor vulnerabilities going by the names “Meltdown” and “Spectre,” may be the biggest news in computing security in years, but you wouldn’t know that from the sites of some of the companies that should be your first line of defense.

These firms have known about these vulnerabilities longer than most–researchers told them last summer, after first detecting the issue. Having the public disclosure planned for next week moved up after word began to leak should not have left non-techie users with so much to puzzle through when looking for help from the firms behind your devices.

That kind of information vacuum neither helps customers nor security in general. And at worst, calculated silence about these massive flaws may lead anxious users to opt for questionable third-party fixes.

A three-headed problem

Meltdown and Spectre’s two variations take advantage of how modern processors try to work faster by skipping ahead of themselves. They predict the operations that will come up next, then run those tasks sooner.

Teams of researchers found that by timing this back-and-forth of data, a rogue app could start to see system-level data — for example, saved passwords — that would normally be off limits. Having hostile code running on your computer is already a problem you would have had to solve, but this escalates its potential damage.

Meltdown, which appears confined to the Intel (INTC) processors that run most PCs and all Macs, is easier to exploit but easier to patch.

Spectre also afflicts AMD (AMD) processors as well as the ARM chips in many mobile devices. So far, it appears to represent less risk but also require much more work to squash — possibly a new generation of processor architecture that doesn’t optimize so much for speed.

An Intel processor like many of those impacted by the Meltdown flaw. (image: Wikimedia)
An Intel processor like many of those impacted by the Meltdown flaw. (image: Wikimedia)

Good, bad and invisible

What do you do about that as you sit in front of your screen — beyond going back to bed and hiding under the covers? You wait for a patch.

Browser vendors can suppress these attacks by making it harder for any rogue code to time when to peek at the processor shuffling data and instructions. Operating-system developers, meanwhile, can further barricade access to system-level memory.

The company behind your browser and your system software, however, may not tell you much about the timing of those patches.

Google (GOOG, GOOGL), developer of the Chrome browser and the Android mobile operating system, offers the most information. A post on its primary blog points readers to a more technical note that, in turn, points to a detailed how-to that explains that the latest Android security update and a Chrome option separately address these vulnerabilities.

(To enable that “site isolation” option, which may cause Chrome to eat more memory, type “chrome://flags#enable-site-per-process” into its address bar, then click the “Enable” button that appears.)

A Microsoft (MSFT) tech-support note, which by Wednesday afternoon had made it to the top of the company’s security-help page, reports that patches are on the way via the company’s Windows Update system. Microsoft also says that third-party antivirus apps may also block an exploit from being installed. The post also reminds users that they’ll need firmware updates from their computer vendors.

A far-less-obvious post on a Microsoft developer blog documents another option for impatient users or those with uncooperative third-party security tools: visit Microsoft’s Update Catalog site, search for “KB4056890” and pick the right download for your processor architecture.

Apple (AAPL), meanwhile, has yet to talk about this on its customer site, its developer site or its @AppleSupport Twitter account. Third-party reports such as a tweet from security expert Alex Ionescu suggest that its latest macOS update, shipped in December, already addressed the problem, but two Apple PR representatives did not answer an email sent Thursday morning requesting clarification.

This is not the first time Apple’s habit of secrecy has left it treating its customers more like its supplicants. But it’s especially unhelpful here, where there aren’t any hush-hush details about unannounced products at stake.

Now what?!

In my case, an evening and a day of this research left me with only one device I knew to be patched: my Pixel Android phone, which got the January security patch Wednesday night. My HP laptop began downloading it Thursday night, and I really don’t know where my Mac desktop and laptop stand.

In the meantime, I’ve enabled site isolation in Chrome. And I hope I’m lucky.

For most users, that should be enough. There are so many easier ways into a computer, from “social engineering” to trick people into coughing up their passwords to attacking obsolete browser plugins like Adobe (ADBE) Flash, that hackers don’t need to indulge in high-tech tactics like this.

But the amount of attention this issue’s getting may spook people. And when they turn to their computer company and find no help offered, some will lapse into the learned helplessness that leads people to give up on digital security because it all seems broken.

Others will waste money or time on quack remedies that don’t protect their information and may even expose it further. Neither is a good outcome of what’s already an ugly episode for the computer industry.

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.