Since news of two major processor vulnerabilities, Spectre and Meltdown, came to the public's attention this week, technology companies have swiftly begun rolling out patches. They've also been trying to reassure customers that those fixes will not slow down computing performance as much as originally feared.
Meltdown, the first flaw to come to light, affects mostly Intel chips -- likely all of them manufactured since 2010, according to researchers. Meanwhile, studies have found that Spectre affects a large number of the Intel, ARM, and AMD processors that have been produced since the 1990s.
Both hardware-based, system-level vulnerabilities are connected to how processors access kernel memory or execute instructions to perform tasks and run programs. Those bugs could enable malicious actors to access sensitive information found anywhere in a device's memory.
While initial reports suggested patches could slow device performance by up to 30 percent, major tech companies yesterday said they haven't seen significant issues since updating systems to address Spectre and Meltdown. Those tech companies include Amazon, Apple, Google, and Microsoft.
Are You Affected? 'Most Certainly'
Working independently of one another, several different groups of security researchers discovered the Spectre and Meltdown vulnerabilities late last year. Since then, technology companies and programmers had been working on patches while attempting to keep the problem under wraps to prevent hackers and bad actors from trying to exploit the flaws.
After details about Meltdown began coming to light earlier this week, researchers went public with their findings and tech organizations began rolling out patches.
In an online Q&A accompanying their findings, researchers noted that almost everyone is "most certainly" affected by either Meltdown or Spectre, and there is no way to discover whether those flaws have been exploited by a hacker.
They added that it's also unclear whether either flaw has yet been abused "in the wild."
"Desktop, Laptop, and Cloud computers may be affected by Meltdown," the researchers noted. "More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)."
They said their tests found Intel, AMD, and ARM processors were all vulnerable to Spectre, meaning "almost every system" -- including desktops, laptops, cloud servers, and smartphones -- are affected.
'Install Patches, Don't Panic'
Amazon, Apple, Google, and Microsoft are among those that have rolled out software patches over the past few days to address the Meltdown and Spectre bugs. Intel yesterday summarized findings from all of those companies indicating that those updates do not appear to be slowing down patched devices as much as originally feared.
"As Intel and others across the industry partner to protect customers from the exploits (referred to as 'Spectre' and 'Meltdown') reported Wednesday [Jan. 3], extensive testing has been conducted to assess any impact to system performance from the recently released security updates," Intel said yesterday. It added that it "continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time."
While both vulnerabilities can be tackled through software patches, the fix for Meltdown is more effective than the one for Spectre, according to security professional Daniel Miessler.
In addition to PCs, servers, and phones, a wide variety of smart devices will also need patches, noted MachNation analyst Samuel Hale.
"The majority of all Internet of Things (IoT) devices worldwide will need a software update very soon," Hale told us yesterday in an email. "Without great IoT device management, this is going to be extremely difficult to accomplish."
"Clearly these are critical security vulnerabilities, but there is not much that consumers can do other than wait for security patches to be released and then apply them as a matter of priority," UK-based security expert Graham Cluley wrote yesterday. "In short: Don't panic, make a cup of tea (coffee is also acceptable), and ensure that you install patches and security updates as they continue to roll out."