Meltdown and Spectre FAQ
Brad Chacos and Michael Simon reveal what you need to know
Massive security vulnerabilities in modern CPUS are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues – dubbed Meltdown and Spectre – exist in the CPU hardware itself, Windows, Linux, Android, Macs, Chromebooks, and other operating systems all need to protect against it. And worse, it appears that plugging the hole will negatively affect your PC’S performance.
Everyday home users shouldn’t panic too much, though. Just apply the latest operating system updates and keep your antivirus software vigilant, as ever.
Here’s a look at what you need to know about Meltdown and Spectre, in plain language. If you want a deep-dive into the technical details, be sure to read Google’s post on the
CPU vulnerabilities. We’ve updated this article repeatedly as new information becomes available.
Again, the CPU exploits in play here are extremely technical, but in a nutshell, the exploit allows access to your operating system’s sacrosanct kernel memory because of how the processors handle ‘speculative execution’, which modern chips perform to increase performance. An attacker can exploit these CPU vulnerabilities to expose sensitive data in your protected kernel memory, including passwords, cryptographic keys, personal photos, emails, or any other data on your PC.
Meltdown is the more serious exploit, and the one that operating systems are rushing to fix. It “breaks the most fundamental isolation between user applications and the operating system,” according to Google. This flaw most strongly affects Intel processors because of the aggressive way they handle speculative execution, though a few ARM cores are also susceptible.
Spectre affects AMD and ARM processors as well as Intel CPUS, which means mobile devices are at risk. It’s “harder to exploit than Meltdown, but it is also harder to mitigate,” Google says. There may be no hardware solution to Spectre, which “tricks other applications into accessing arbitrary
locations in their memory.” Software needs to be hardened to guard against it.
What’s a kernel?
The kernel inside your operating system is basically an invisible process that facilitates the way apps and functions work on your computer, talking directly to the hardware. It has complete access to your operating system, with the highest possible level of permissions. Standard software has much more limited access.
How do I know if my Mac is at risk?
Short answer: it is. Probably.
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the operating system you are running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has ‘near zero’ risk because of the way its chip architecture is designed.
Intel said recently, though, that the patches that it is issuing – via firmware and operating system patches – “render those systems immune from both exploits.” That’s a big claim from Intel, and has yet to be confirmed.
So if Meltdown’s a chip problem, then Intel needs to fix it?
Yes and no. While Intel may address the fundamental hardware problem in future chips,
the fix for PCS in the wild needs to come from the operating system manufacturer, as a microcode update alone won’t be able to properly repair it. Intel said on 4 January that it had been aware of both vulnerabilities since June 2017, which gives you an idea of how seriously the computing ecosystem has taken both Spectre and Meltdown.
Intel is also publishing firmware updates for its processors. You’ll need to snag them from your PC, laptop, or motherboard maker (such as HP or Gigabyte) rather than Intel itself. Intel’s support page for the flaw links to firmware updates and information from the PC manufacturers it works with. At the time of writing, Intel expects to have released firmware updates for 90 percent of processors released in the past five years by 12
January. The company hasn’t announced its plans for older CPUS like the venerable Core i7-2600k or processors from last decade.
So, what can you do?
Not much besides updating your PC with Meltdown patches issued by operating system makers. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime – advice that Intel also stresses.
Do you know when a fix will come?
It’s already here. Apple quietly protected against Meltdown in macos High Sierra 10.13.2, which released on 6 December, according to developer Alex Ionescu. Additional safeguards will be found in macos 10.13.3, he says. Kernel patches are also available for Linux.
So once I download the patch I’m good?
Well, the operating system patches will plug the risk of Meltdown, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.
How much slower will my Mac become?
It’s complicated. Fortunately, a growing number of tests seem to support Intel’s contention that
everyday Mac users won’t see dramatic slowdowns, although there’s one particular area of concern: drive read performance.
More recent Intel processors from the Haswell (4th-gen) era onward have a technology called PCID (Process-context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications – most notably virtualization tasks and data Centre/cloud workloads – are affected more than others. Intel confirmed that the performance loss will be dependent on workload, and should not be significant for average home computer users.
Will my games get slower?
Probably not. Phoronix also tested Dota 2, Counterstrike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, and The Talos Principle on a Linux 4.15-rc6 machine with a Core i7-8700k and
Radeon Vega 64. None saw a frame rate change outside the margin of error range.
Are AMD processors affected?
Much, much less than Intel chips. All modern CPUS are vulnerable to Spectre attacks, but AMD says that its CPUS have ‘near zero’ risk to one variant due to the way they’re constructed. The performance impact of Spectre patches are expected to be ‘negligible’.
There is “zero AMD vulnerability” to Meltdown thanks to chip design, AMD says. If operating system patches exclude AMD CPUS from the new Meltdown restrictions, the performance war between Intel’s chips and AMD’S new
Ryzen CPUS may get even tighter.
Intel processors have a severe kernel security flaw
Intel’s Core i7-8700k ‘Coffee Lake’ CPU
AMD says there is zero vulnerability to Meltdown