The history of Spectre and Meltdown
Since the beginning of the year urgent news causes trouble in the IT world: the CPU problems Spectre and Meltdown. The CPUs that are affected mostly come from Intel, but also AMD and smartphone chips by Apple and Samsung. Intel was already informed about these security breaches in June 2017 but only made it public at the beginning of January 2018.
Processor bug: What is happening?
Skillfully attackers, exploiting these vulnerabilities, are able to extract data that the computer processes in its memory – including passwords. Modern CPUs count on the so called out-of-order feature. In this process commands are executed speculative and probable not used data is loaded into the cache. Due to bad speculation it is possible that these commands are not executed in the program flow. Exactly those speculations enable the attack scenarios that were discovered.
Which CPUs are affected?
Mostly Intel suffers from these security breaches. They concern for example processors from the Core generation since 2008 but also the series Intel Atom C, E, A, x3 and Z as well as the Celeron and Pentium series J and N.
You can find the official Intel website about this topic and the list of all affected Intel CPUs here.
Also Google takes informs that processors from AMD and ARM are affected. They say Android systems are concerned but they are protected with the last security update from January 2nd. Apple has already fixed some of the bugs and plans to come up with new fixes with the update 10.3.3.
Here you can find the official website from AMD.
Which measures are there against Spectre and Meltdown?
The security breaches can be fixed by using complex security patches for all operating systems. Chaos is dominating the situation right now: BIOS updates with CPU microcode updates are provided by only a few producers. Microsoft already pull back its Windows patch for older systems. Apple gives blurry explanations regarding what happens to Macs produced before 2010, on which macOS High Sierra isn’t running.
According to some sources – which were not confirmed by Intel, AMD or other producers – the security updates slow down the older (produced before 2013) and weaker processors more than modern ones. For desktop PCs, notebooks and tablets with newer CPUs and Windows 10 the performance decrease is minimal. However in case of Windows 7 PCs with older CPUs Microsoft expects significant performance losses. The most concise impacts are found in systems with Intel processors and fast SSDs (especially PCIe SSDs with NVM protocol) when not just Windows updates but also the microcode update is made.
You can find the official Microsoft website here.
Fake BSI mails about the security updates
Caution with fake e-mails about would-be updates concerning Spectre and Meltdown. Written in the name of the BSI (The German Federal Office for Information Security) the writer warns you that your terminal device is vulnerable and wants you to make those updates. You can find an example of such an e-mail under the following link.
Affected spo-comm Mini-PCs
Together with our partners we are constantly searching for solutions and are testing them. We are planning to provide fitting updates as soon as we get reliable information from Intel or Microsoft.
These spo-books are according to the current status not affected:
• spo-book WINDBOX II
• spo-book WINDBOX II Plus
• spo-book BRICK MSE45
• spo-book BRICK NM10
• spo-book TURO GM45
• spo-book NOVA GM45
• spo-book BOX NM10
• spo-book FLUKE NM10
• spo-book iDESK
• spo-book MOVE NM10
• spo-book RUGGED NM10
• spo-book MOVE T56N
• spo-book RUGGED T56N
• spo-book ION 2
• spo-book ION 3
• spo-book POS NM10
• spo-book POS NM10 slim
• spo-book SQUARE 15
• spo-book TECH 92F
• spo-book UNO NM10
• spo-book WINDBOX III
Regarding the Spectre and Meltdown problems spo-comm advises:
• Constantly keep an eye on the updates from Intel, AMD and Microsoft
• First test the updates on a test PC in the deployment scenario before installing them on live PCs
• Test the security patches on older devices and check the performance because it can come to performance losses
• Be careful with BSI e-mails as they can be faked