Software and hardware companies are starting to roll out updates to help mitigate the impact of the Meltdown and Spectre security vulnerabilities disclosed this week, which could allow malware to access protected data such as passwords or encryption keys from a computer or server.
Google says it’s already rolled out updates to help protect Android and Chrome OS users, although if you’ve got a phone from a vendor that rarely (if ever) offers security updates, you might be out of luck.
Microsoft has released an update to Windows (although some folks may have to wait a little while if they have an incompatible anti-virus program running on their PC).
We found out about the whole thing a week ahead of schedule largely because The Register and others pieced together clues from patches made to the Linux kernel (which provided hints at the nature of the vulnerability).
Update: Apple has weighed in, confirming its Mac and iOS devices are affected. The company says recent software updates for macOS, tvOS and iOS help mitigate the vulnerabilities, and that upcoming updates to the Safari web browser will help mitigate risk from Spectre.
And Intel says it’s released updates for “the majority of processors” released in the past 5 years, with plans to have updates for 90 percent of all processors released in that time frame by the end of the week. Since most PC users don’t get firmware updates from Intel though, you may need to check to with the manufacturer of your PC to see if an update is available.
So what do all of these updates do, and how will it affect your PC’s performance?
That’s kind of an open question for now. Researchers disclosed three different security exploit variants, one of which is classified as a “Meltdown” attack, and other two of which are “Spectre.”
The Meltdown vulnerability seems to primarily affect Intel processors and possibly some ARM-based chips, but not AMD processors. The good news is that software and firmware updates will likely help protect you against these Meltdown attacks. The bad news is that they do this by changing the way chips use memory, which could have an impact on processing speed in some situations.
Intel says the performance impact “should not be significant” for the average computer user, and Google says that after rolling out updates for its own systems, the company has “observed negligible impact on performance.”
So it’s possible that claims that the security patches could slow down PCs by anywhere from 5 to 30 percent may have been overblown. But the impact is definitely workload-dependent, so while you might not see any change when performing some tasks, you may see some slowdown depending on the CPU you’re using and the activity you’re trying to use a computer for.
Some Amazon Web Service customers have reportedly been seeing slow-downs in some cloud server instances since Amazon starting rolling out updates last month.
For the most part, the updates that are rolling out are meant to protect users against Meltdown attacks. The Spectre class of exploits expose a brand new type of vulnerability that’s not as well understood. While Intel and others say they have updates that can help mitigate certain types of Spectre attacks, it’s unclear for now whether it’s possible to completely protect a computer from Spectre via software updates alone. The good news, if there is any, is that it’s also harder for an attacker to set up a Spectre attack.
That said, despite Intel’s claims that the update it’s rolling out will render PCs and servers “immune” from both exploits, I don’t think anyone knows for certain whether that’s actually true at this point.
Ultimately, chip makers will probably have to take these vulnerabilities into account when designing future processors in order to fully protect users. But since virtually all modern smartphone, tablet, PC, and server processors already on the market are vulnerable to one or more of these exploits, it’s no surprise that companies are rushing to release software updates to help protect users.
Odds are the computer you’re currently using has a processor that is vulnerable. There’s currently no new computer you can buy that is completely safe. And there may not be for some time to come. If Intel wants to continue selling chips, if Microsoft wants to keep selling software, and if Google wants you to keep looking at ads (in the Chrome browser or on your Android phone), they’re all going to do their best to keep you protected.
I guess we’ll find out in the coming months whether their best is good enough.
For now, the best things you can do to try to protect yourself are:
- Check for operating system updates (Windows, Mac, Linux, Android, Chrome OS, etc)
- Check for firmware updates (from your device manufacturer)
- Make sure your web browser is up to date (Firefox, Chrome, Internet Explorer, and Edge updates are all available and/or on the way)
Some users also recommend enabling site isolation in your web browser, if possible, as a way to keep malware running on a website from accessing data from another website.