​How the Meltdown and Spectre security holes fixes will affect you

Get ready to patch every piece of computing gear in your home and company to deal with this CPU nightmare.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Video: AMD vs Intel: Are you in the market for a new desktop processor?

You can't get away from Meltdown and Spectre. These chip bugs will make your life miserable. Everything you run -- and I mean everything -- PCs, Macs, iPhones, tablets, cloud computing, and servers -- use vulnerable CPUs. Apple, Linux developers, and Microsoft have all released patches. And all of them will slow down at least some of your programs.

While Intel gets most of the heat for these hardware vulnerabilities, it's not alone. According to Red Hat, ARM, IBM System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little Endian) processors are all open to attack. AMD claims its chips are largely invulnerable, but it concedes there's a near zero -- but not zero -- risk of exploitation from one class of attack.

So, what does that mean for you? Here's what the experts say you can expect from your devices and services.

Desktops, smartphones, and other end-user devices

To protect your Linux, macOS, or Windows PC, patch it. Now.

Linux patches are out for some, but not all, systems. Red Hat, Centos, and Fedora all have patches. SUSE has released SUSE Linux Enterprise (SLE) patches. Ubuntu and related distributions had scheduled patches to be out on Jan. 9. Now that the news is out, their developers are pushing the fixes out as fast as possible.

On Windows PCs, Microsoft pushed an emergency patch out on Jan. 3. If you didn't get it, go to Start > Settings > Update and Security > Windows Update. Then, click the Check now button under "Update status." You can also just search for "Windows Update." This works on Windows 7 and Windows 8, too.

For Apple systems, iOS 11.2, macOS 10.13.2, and tvOS 11.2 come with patches. Unlike Microsoft, Apple has yet to release patches for older versions of its operating systems.

Android patches were included in 2018's first security patch pack. Unfortunately, only the newest Nexus and Pixel devices have received these so far. Chrome OS users with version 63 are protected. This update was pushed out on Dec. 15, 2017. This fix won't be ported to older versions of Chrome OS. If you're still using an out-of-support Chromebook, it may be time to finally retire it.

Regardless of what computer you're using, you should be wary of JavaScript.

As Alan Cox, a senior Linux developer and Intel software engineer, wrote on Google+ [sic]: "What you do need to care about big time is JavaScript because the exploit can be remotely used by javascript on web pages to steal stuff from your system memory. Mozilla and Chrome both have pending updates. and some recommendations about protection. Also consider things like Adblock and extensions like noscript that can stop a lot of junk running in the first place. Do that ASAP."

Google has announced that Chrome 64's V8 JavaScript engine, which will be released on or around Jan. 23, 2018, will include mitigations for these potential attacks.

While all these patches may reduce some system performance, it's not believed that it will be noticeable on any of these platforms.

Servers and the cloud

It's a different story on servers and the cloud. Red Hat ran extensive Meltdown/Specure performance benchmarks and found the following performance issues:

  • Measureable: 8 percent to 19 percent -- Highly cached random memory with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions are impacted between 8 percent to 19 percent. Examples include OLTP Workloads (tpc), sysbench, pgbench, netperf (< 256 byte), and fio (random I/O to NvME).
  • Modest: 3 percent to 7 percent -- Database analytics, Decision Support System (DSS), and Java VMs are impacted less than the "Measurable" category. These applications may have significant sequential disk or network traffic, but kernel/device drivers are able to aggregate requests to moderate level of kernel-to-user transitions. Examples include SPECjbb2005, Queries/Hour, and overall analytic timing (sec).
  • Small: 2 percent to 5 percent -- HPC (High Performance Computing) CPU-intensive workloads are affected the least, with only 2 percent to 5 percent performance impact, because jobs run mostly in user space and are scheduled using cpu-pinning or numa-control. Examples include Linpack NxN on x86 and SPECcpu2006.
  • Minimal: Linux accelerator technologies that generally bypass the kernel in favor of user direct access are the least affected, with less than 2 percent overhead measured. Examples tested include DPDK (VsPERF at 64 byte) and OpenOnload (STAC-N). Userspace accesses to VDSO like get-time-of-day are not impacted. We expect similar minimal impact for other offloads.

An Amazon Web Service (AWS) discussion thread shows that these slowdowns aren't just testbed results. As one sysadmin complained, "It is simply as if the instance (m1.medium) was somehow degraded to a lesser performing one following the reboot."

Similar performance hits can be expected on Windows and Unix server and cloud systems.

Richard Morrell, CTO and security lead of Falanx, a cyber defense company, said in a technical note to customers [sic], "Amazon, Rackspace, and Verizon along with Microsoft are rebooting swathes of their infrastructure during Friday - Sunday 5th - 8th January. If you are a cloud customer of any provider please seek clarification from your provider. The changes may affect your application performance and your DevOps/Agile leads should consult your vendor to determine if they expect impact at this time."

Other cloud companies are expected to do the same. Besides being ready for brief service interrupts, sysadmins must be ready to deal with poorer performance and greater system loads. It's going to be a hard week for serious cloud users.

All these patches are stop-gap measures. As the Spectre white paper states: "While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak."

Or, as CERT put it, "The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware." Since then, CERT has changed this advice to: "Operating system, CPU microcode updates, and some application updates mitigate these attacks."

Still mitigation is not "fully removing." To be fully secure, you must replace every computing device you own.

Brace yourself, 2018 is going to be a really hard -- and expensive -- year for IT.

Related stories:

Editorial standards