Meltdown and Spectre are big, complicated issues with big, complicated solutions. The good news? If you keep your devices updated, you don’t have anything more to worry about.
The attacks take advantage of how modern computer processors are built, specifically, something called speculative execution. Processors are so fast that it is actually more efficient for them to do extra work that might not be needed, rather than waiting to see exactly what must be done. The issue is that this extra work can sometimes reveal little bits of things that would normally be protected by the computer. An attacker running code on your computer can obtain and piece together those little bits to get the protected information.
There’s two levels of fixes for this issue. The first is to stop speculative execution’s leaking of information in the first place. That requires work from chipmakers—Intel, AMD, and ARM—and likely involves replacing the physical processor with fixed version. The second is to interfere with an attacker trying to run code to exploit the issue. That requires work from software developers—Microsoft, Apple, Google, and others—and usually just involves updating your software just as you normally would.
As this is a very complicated attack. There is a lot of misinformation about what the attack is and how to defend against it. Below are some answers to general questions.
Aren’t only Intel processors affected?
Intel uses a particularly aggressive form of speculative execution, one that Meltdown specifically targets. All processors that use speculative execution (including Intel, AMD, and ARM) are vulnerable to Spectre.
Is a software update a complete fix?
Right now the software updates released by Microsoft, Apple, and others mainly address Meltdown. Spectre is much harder to fix through software, but it is also harder to exploit.
Is a complete fix possible?
Certainly, that is what chipmakers are currently working on. If you’ve read articles claiming that there is no solution, the reality is that products on the shelf right now are vulnerable because speculative execution is fundamental to how we’ve built processors for a decade. It is only a matter of time before products that aren’t vulnerable begin to arrive.
What can I do in the meantime?
Update your devices. It isn’t a perfect solution, but Meltdown and Spectre aren’t perfect attacks, either: the attacker would have to get code to run on your computer in the first place. Companies were alerted to the issues over six months ago and have had plenty of time to develop ways to make using Meltdown and Spectre harder.
Won’t the updates slow down my computer?
Yes, they will, but you almost certainly won’t notice it. That 30% slowdown figure that’s been everywhere is for very specific workloads, and browsing the internet, watching videos, and writing documents aren’t any of them.
. . . So why has there been so much publicity about this? It doesn’t seem like that big of a deal.
This is a recurring debate within the computer security community whenever a big new exploit is unveiled. The upside to making flashy names and logos is that the high value targets who might actually be attacked become aware of the exploits even if they aren’t technical themselves (if a CEO hears about an exploit from The New York Times rather than their IT department, they’ll be much more open to funding fixes). The downside is that everyone else hears about the exploits too, even if they’re at an extremely low risk and would be served perfectly fine by their devices’ automatic updates.