The Spectre and Meldown ‘bugs’ have, rightfully, been hitting the headlines these last two to three weeks. There is still a lot of ‘noise’ and uncertainty, as well as a degree of hysteria about these bugs. And rightfully so – Intel (for example) have been inconsistent about the impact of the microcode ‘fixes’ they have released in response. Initially, they recommended everyone should apply them but when the number of spontaneous reboots increased ‘out there’ they reined back on that recommendation. PC vendors were initially encouraged to push the fixes, until some of the deployment issues emerged. Principally these were increased reboots and performance ‘hits’.
What should we do about Spectre and Meltdown? Definitely apply the fixes, wait till first adopters work out the bugs? It is surprising that there has been hardly any questioning over how dangerous these issues actually are in the real world. The enormity if Spectre/Meltdown relates to the scope of cpus affected – i.e. all from about 1995 onwards rather than the size of the risk. The following mitigations appear to be correct:
- Exploiting these vulnerabilities requires a significantly greater level of technical ability than more traditional malware development.
- The data that can theoretically be obtained is much more limited – i.e. no hard disc data, no keystrokes etc..
- Like traditional malware, something has to run in order to exploit the vulnerability – ‘drive-by’ is not possible.
- OS and browser vendors have already moved to reduce the likelihood of these vulnerabilities having real world impacts.
So overall, there are so many cherries lower down the tree waiting to be picked. Why would common-garden malware use these exploits when the degree of technical difficulty is so high and the data you can get from them is so limited?
The lowest risk is of course to just patch.
To test the performance impact of the current Windows 10 Spectre/Meltdown mitigations we ran some Prophecy benchmarks, with and without the patched Windows, on the same machine – a gen 3 i5 with 8gb of memory.
Bottom line – the patched Windows took 13% more time in our tests.
So, everyone has to make their own decision and what we see on Prophecy, is sure to be different to other applications. But a 13% speedup is non-trivial.
Incidentally, you can test your software in the same way. Steve Gibson / GRC have a small utility which evaluates your machine for the vulnerability and allows you to toggle the protections on and off. It’s here: