Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.
Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:
Meltdown: This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.
Spectre: This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.
How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.
In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.
At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.
Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.
Benchmarks made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state).
Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.
With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.
I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.
Update: 16th January 2018:
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.
Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.