Spectre & Meltdown
As I hope everyone has heard this last week a couple major CPU vulnerabilities were discovered and fixes have started to rollout. There is a lot of information out there and some of it has been blown up by the media. This is not to take away how serious this bug is. At the bottom of this article, I have a video from the researchers themselves showing how spooky this is. The long and short of it is that all CPUs are affected- even those on mobile phones. One of the vulnerabilities, Spectre, is going to be around for a long time and can only be mitigated at this time. It will be a couple years before it is worked out of the system with new CPUs.
What can they do? These vulnerabilities can gain access to the CPU and can allow the hacker to read items in the memory of your computer. This can include passwords, encryption keys, bank information, etc.
What do I do? Relax, you don’t have to completely swear off the Internet or computers. Microsoft has released a patch for Windows 10 that will help mitigate the attack (http://www.zdnet.com/article/windows-meltdown-spectre-patches-if-you-havent-got-them-blame-your-antivirus/) but many antivirus vendors need to patch their systems first. You are best checking with your antivirus and making sure that is up to date before you get the patch from Microsoft. You will also want to update
any firmware for your device (which will update the core CPU instructions). These firmware or BIOS updates will be rolling out from the PC makers over the next several months.
For users running Windows 7/8/8.1 the patch will be coming out on patch Tuesday (1/9/18). I urge everyone to update their PC as soon as possible. Apple has released updates for MAC, and Linux distros have already begun patching. The same will go for mobile phones and tablets. The patches are coming.
What about performance? Some reports of 30% performance hits have been over-exaggerated. Most users are not going to notice a thing. Even some of the early Windows 10 gaming tests have shown no performance hits (within the margin of error). High-Performance Computing such as servers and specialized workloads may be more affected. As the patches get more tuned and implemented at the hardware level this hit will soften over time.
What if I Still Run Windows XP? Please, please retire that computer. XP is not secure on so many levels that I would not recommend running it on the internet in any situation. Its just not worth it– and modern Windows includes so many, many nice features. For the New Year, you should treat yourself and get rid of XP.
Please if you have any questions feel free to contact me on Twitter or in the Comments below. If you want more heavy reading, check out the page the researchers have created: https://meltdownattack.com/