Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, Macs, Chromebooks, and other operating systems all need to protect against it. And worse, it appears that plugging the hole will negatively affect your PC’s performance.
Everyday home users shouldn’t panic too much, though. Just apply the latest operating system updates and keep your antivirus software vigilant, as ever.
Here’s a high-level look at what you need to know about Meltdown and Spectre, in plain language. If you want a deep-dive into the technical details, be sure to read Google’s post on the CPU vulnerabilities. We’ve updated this article repeatedly as new information becomes available.
Meltdown and Spectre CPU flaw FAQ
Editor’s note: This article was most recently updated to include many more details about the Meltdown and Spectre CPU flaws, as well as PC performance comments from Intel and AMD.
Give it to me straight—what’s the issue here?
Again, the CPU exploits in play here are extremely technical, but in a nutshell, the chip’s kernel is leaking memory because of how it handles “speculative execution,” which modern processors perform to increase performance. An attacker can exploit these CPU vulnerabilities to expose extremely sensitive data in your protected kernel memory, including passwords, cryptographic keys, personal photos, emails, or any other data on your PC.
Meltdown is the more serious exploit, and the one that operating systems are rushing to fix. It “breaks the most fundamental isolation between user applications and the operating system,” according to Google. This flaw most strongly affects Intel processors because of the aggressive way they handle speculative execution.
Spectre affects AMD and ARM processors as well as Intel CPUs, which means mobile devices are at risk. (We have a separate FAQ on how Spectre affects phones and tablets.) It’s “harder to exploit than Meltdown, but it is also harder to mitigate,” Google says. There may be no hardware solution to Spectre, which “tricks other applications into accessing arbitrary locations in their memory.” Software needs to be hardened to guard against it.
What’s a kernel?
The kernel inside a chip is basically an invisible process that facilitates the way apps and functions work on your computer. It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.”
How do I know if my PC is at risk?
Short answer: It is.
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “zero” and “near zero” risk to the two known Spectre variants because of the way its chip architecture is designed.
Gordon Mah UngIntel’s Core i7-8700K “Coffee Lake” CPU.
So if Meltdown’s a chip problem, then Intel needs to fix it?
Yes and no. While Intel will surely address the problem in future chips, the fix for PCs in the wild needs to come from the operating system manufacturer, as a microcode update won’t be able to properly repair it.
So, what can I do?
Not much besides updating your PC with Meltdown patches issued by operating system makers. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime—advice that Intel also stresses.
[ Further reading: The best antivirus for Windows PCs ]
Do you know when a fix will come?
It’s already here for Windows, Mac, and Chromebook users.
Microsoft pushed out a Windows update protecting against Meltdown on January 3, the day that the CPU exploits hit headlines. Updates issued outside of Microsoft’s monthly “Patch Tuesdays” are rare, underlining the severity of this issue.
Apple quietly protected against Meltdown in macOS High Sierra 10.13.2, which released on December 6, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.
Linux developers are working furiously to address the flaw in a new kernel update. Expect it soon.
Chromebooks received protection in Chrome OS 63, which released on December 15. Furthermore, the Chrome web browser itself was updated to include an opt-in experimental feature called “site isolation” that can help guard against Spectre attacks. Site isolation is trickier on mobile devices; Google warns that it can create “functionality and performance issues” in Android, and since Chrome on iOS is forced to use Apple’s WKWebView, Spectre protections on that platform need to come from Apple itself. Chrome 64 will include more mitigations.
Mozilla is taking steps to protect against Spectre as well. Firefox 57 released in November with some initial safeguards.
So once I download the Meltdown patch then I’m good?
Well, the operating system patches will plug the risk of Meltdown, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.
How much slower will my PC or Mac become?
It’s complicated.
More recent Intel processors from the Haswell (4th-gen) era onward have a technology called PCID (Process-Context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications—most notably virtualization tasks and data center/cloud workloads—are affected more than others. Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users.
“Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.”
Gordon Mah UngIntel processors have a severe kernel security flaw.
Michael Larabel, the open-source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new Linux KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.
Your mileage will indeed vary, it seems. Keep in mind that Phoronix’s testing was conducted on a non-final release, and that the Linux and Windows kernels are two very different beasts. More testing will need to be performed to see how the Meltdown patch affects Windows PCs and Macs.
Will my games get slower?
Maybe not. Phoronix also tested Dota 2, Counter-Strike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, and The Talos Principle on a Linux 4.15-rc6 machine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change outside the margin of error range.
None of those run on Microsoft’s DirectX technology though, which integrates deeply with the Windows operating system. Again, more testing will be needed to see how DX games perform in the wake of the Windows patches.
[ Further reading: The best graphics cards for PC gaming ]
Are AMD processors affected?
Gordon Mah Ung/IDGMuch, much less than Intel chips. All modern CPUs are vulnerable to Spectre attacks, but AMD says that its CPUs have “near zero” risk to one variant due to the way they’re constructed. The performance impact of Spectre patches are expected to be “negligible.”
There is “zero AMD vulnerability” to Meltdown thanks to chip design, AMD says. If operating system patches exclude AMD CPUs from the new Meltdown restrictions, the performance war between Intel’s chips and AMD’s new Ryzen CPUs may get even tighter.
That sucks! There’s nothing I can do!?
We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.