One of Intel's mitigations for a variant of the Spectre vulnerability will reportedly significantly slow down performance...
of the latest Linux kernel.
The mitigation, called Single Thread Indirect Branch Predictors (STIBP), was put in place by Intel earlier this year when the Spectre vulnerability and its variants were first publicly disclosed. Intel proposed two other mitigations to this particular version -- Spectre variant 2, tracked as CVE-2017-5715 -- but this one, it turns out, would have a negative effect on Linux 4.20.
If Linux 4.20 is run with Intel chips that implemented the STIBP mitigation for Spectre v2, performance could drop 30% to 50%, depending on the application.
The mitigation is only on Intel chip models that have hyperthreading, but that still includes Core i3, Core i7 and above, as STIBP became part of Intel's mainline chip production.
Technology website Phoronix reported the significant slowdowns on Linux 4.20 on Nov. 17, 2018, and said they were caused by the addition of kernel-side bits for STIBP.
After seeing the numbers Phoronix reported, Linux creator Linus Torvalds weighed in, suggesting that users disable mitigations for Spectre v2.
"When performance goes down by 50% on some loads, people need to start asking themselves whether it was worth it," Torvalds wrote. "It's apparently better to just disable SMT [simultaneous multi-threading] entirely, which is what security-conscious people do anyway."
SMT is what Intel calls hyperthreading and was introduced in the early 2000s. However, Spectre and its variants proved that hyperthreading makes side-channel attacks possible.
There has been a history of performance drops with Meltdown and Spectre vulnerability mitigations since vendors started rolling them out earlier this year. However, the slowdowns associated with this Spectre v2 mitigation are the most significant.
In other news:
- On Wednesday, Nov. 28, Dell informed its customers that their passwords had been reset due to the discovery of unauthorized access in its network back on Nov. 9, 2018. While Dell stated that its investigation did not find evidence that data was actually stolen, it did indicate that an attempt to extract user data had been made, and it was unable to definitively confirm that no data had been exfiltrated. While credit card and other sensitive information is not believed to have been exposed, an attempt was made to extract Dell.com user information, email addresses, hashed passwords and names. Dell.com reset all account passwords and warned users to change passwords for accounts that use similar ones. This reset also affected Dell's Premier, Global Portal and support.dell.com online services, but the DellEMC.com and DellTechnologies.com accounts are not believed to be affected. It is unknown how many users were affected.
- Microsoft issued a security advisory on Wednesday, Nov. 28, warning users of two applications that accidentally installed root certificates onto computers, which resulted in a leak of private keys. The two applications developed by Sennheiser -- HeadSetup and HeadSetup Pro -- are used for softphone setup and management. This error, tracked as CVE-2018-17612, allows malicious third parties to extract private keys from the two applications and use them to issue forged certificates to spoof websites and software publishers. While the advisory was released earlier this week, the issue was found earlier this year by Secorvo Security Consulting, a cybersecurity consulting company based in Karlsruhe, Germany. The consultancy discovered that versions 7.3, 7.4 and 8.0 had installed two root certificate authority certificates into the Windows Trusted Root Certificate Store. These certificates were also found to have been installed for Mac users through the HeadSetup macOS app. Sennheiser has since removed the apps from its website and is working on an update. It has also removed the root certificates from the affected systems and plans to replace them with new ones that will not leak private keys. In order to prevent further attacks, customers should update their apps. Microsoft has updated the company's certificate trust list to remove the malicious certificates; instructions on how to manually remove the certificates can be found in Secorvo's report.
- In 2015, Lenovo shipped 750,000 laptops with preinstalled adware -- dubbed VisualDiscovery -- developed by the defunct Israeli online advertising company Superfish. And on Nov. 21, 2018, a class action lawsuit was settled, with Lenovo paying $7.3 million to affected customers. The adware compromised online security protections that users installed onto their laptops, performed man-in-the-middle attacks and accessed their financial data. In 2017, Lenovo agreed to pay $3.5 million after signing an agreement with the Federal Trade Commission, Connecticut and 31 other states. Likewise, Lenovo promised to alter how it sold devices and, in another agreement, paid an additional $3.5 million to state authorities. All of this comes after Lenovo stated in 2015 that it did not agree with the allegations, and that it was unaware of the exploitation of the app by a third party. Lenovo also claimed it stopped selling the software in 2015.