The Meltdown and Spectre security vulnerabilities in the modern CPU processors have been on the news headline and caused quite some panic (here, here, here, and more) because the vulnerabilities can theoretically allow attackers to steal private information without user’s knowledge. Major OS vendors such as Microsoft, Google, Apple and Linux all started working on a patch on the OS level way before the vulnerabilities were released in public and the patches will soon be available to end users. Since the vulnerabilities are in the processor architecture design, the OS level patch can mitigate the security vulnerabilities, but can undermine the computer performance up to 30%.
However, is it really so serious that we, as regular computer users, should panic? My answer is no. Allow me to explain.
1. Although the proof of concept has shown that attackers can theoretically take advantage of the vulnerabilities to steal private information that is protected by the kernel, the exploitation is very complicated and the chance of successful attack is very low, and as a matter of fact, there is no instance reported that attackers successfully abused these vulnerabilities. But if you think we should not take any chances, then read on.
2. Since they are caused by processor design flaws, there are really nothing we, as end users, can do about them. However, the good news is patches are being developed or were released to mitigate the vulnerabilities, so just hang tight and update your system as soon as the patches are available.
But what about the performance hit from the fixes?
Well, as a end user, you will probably not notice much difference, and Google and Amazon both said the performance hit from the fixes is overblown.
To summarize, the Meltdown and Spectre are two serious design flaws in modern processors, but there is not much what we end users can do to protect us from them, except installing the security patches when available. So don’t panic, it’s not like your computer will be hacked or locked by some malicious attackers. Any news site who exaggerate the security holds is just trying to cause panic and to attract traffic to their sites, and that’s all.