Massive security vulnerabilities in modern CPUs are forcing a redesign of the kernel software at the heart of all major operating systems. Since the issues—dubbed Meltdown and Spectre—exist in the CPU hardware itself, Windows, Linux, Android, macOS, iOS, Chromebooks, and other operating systems all need to protect against it. And worse, plugging the hole can negatively affect your PC’s performance.
Everyday home users shouldn’t panic too much though. Just apply all available updates and keep your antivirus software vigilant, as ever. If you want to dive right into the action without all the background information, we’ve also created a focused guide on how to protect your PC against Meltdown and Spectre.
Here’s a high-level look at what you need to know about Meltdown and Spectre, in plain language. Be sure to read Google’s post on the CPU vulnerabilities if you like diving deep into technical details.
Meltdown and Spectre CPU flaw FAQ
Editor’s note: This article was most recently updated to include Apple’s statement about vulnerable devices and a forthcoming Safari patch, information about Intel firmware updates, and link to our guide to protecting your PC.
Give it to me straight—what’s the issue here?
Again, the CPU exploits in play here are extremely technical, but in a nutshell, the exploit allows access to your operating system’s sacrosanct kernel memory because of how the processors handle “speculative execution,” which modern chips perform to increase performance. An attacker can exploit these CPU vulnerabilities to expose extremely sensitive data in the protected kernel memory, including passwords, cryptographic keys, personal photos, emails, or any other data on your PC.
Meltdown is the more serious exploit, and the one that operating systems are rushing to fix. It “breaks the most fundamental isolation between user applications and the operating system,” according to Google. This flaw most strongly affects Intel processors because of the aggressive way they handle speculative execution, though a few ARM cores are also susceptible.
Spectre affects AMD and ARM processors as well as Intel CPUs, which means mobile devices are also at risk. (We have a separate FAQ on how Spectre affects phones and tablets.) There may be no hardware solution to Spectre, which “tricks other applications into accessing arbitrary locations in their memory.” Software needs to be hardened to guard against it.
What’s a kernel?
The kernel inside your operating system is basically an invisible process that facilitates the way apps and functions work on your computer, talking directly to the hardware. It has complete access to your operating system, with the highest possible level of permissions. Standard software has much more limited access. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.”
How do I know if my PC is at risk?
Short answer: It is. Yes, even if it’s a Mac.
Google says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. (You can find a full list of affected Intel processors in this article.)
AMD processors aren’t affected by the Meltdown bug. But chips from Intel, AMD, and ARM are susceptible to Spectre attacks. AMD says its hardware has “near zero” risk to one Spectre variant because of the way its chip architecture is designed, but AMD CPUs can still fall prey to another Spectre flaw.
How do I stay safe?
Update all the things. The entire computer industry is moving as quickly as possible to patch in Meltdown and Spectre protections. Right now, you should update your operating system, CPU firmware (if available), and web browser pronto. We’ve created a separate guide to staying safe from Meltdown and Spectre attacks if you need more in-depth help.
Definitely make sure you’re running security software as well—advice that Intel also stresses. No known Meltdown and Spectre attacks have been seen in the wild, but that’s sure to change now that the details are public. Triggering the attacks requires hackers to have access to your PC. An antivirus suite keeps bad guys off your PC. And as always, only download software and apps from reputable sources to reduce the risk of malware infection.
What patches are already available?
Microsoft pushed out a Windows update protecting against Meltdown on January 3, the day that the CPU exploits hit headlines. Updates issued outside of Microsoft’s monthly “Patch Tuesdays” are rare, underlining the severity of this issue.
Intel is also publishing firmware updates for its processors. You’ll need to snag them from your PC, laptop, or motherboard maker (like HP or Gigabyte) rather than Intel itself. By January 12, Intel expects to have released firmware updates for 90 percent of processors released in the past five years to its partners. The company hasn’t announced its plans for older CPUs like the venerable Core i7-2600K or processors from last decade.
Apple quietly protected against Meltdown in macOS High Sierra 10.13.2, which released on December 6, as well as in iOS and tvOS 11.2. Kernel patches are also available for Linux.
Chromebooks received protection in Chrome OS 63, which released on December 15. Furthermore, the Chrome web browser itself was updated to include an opt-in experimental feature called “site isolation” that can help guard against Spectre attacks. Site isolation is trickier on mobile devices; Google warns that it can create “functionality and performance issues” in Android, and since Chrome on iOS is forced to use Apple’s WKWebView, Spectre protections on that platform need to come from Apple itself. Chrome 64 will include more mitigations.
Other browsers are battening down the hatches against Spectre as well. Firefox 57 released in November with some initial safeguards, and Edge and Internet Explorer received an update alongside Windows 10. “In the coming days we plan to release mitigations in Safari to help defend against Spectre,” Apple says.
Check out PCWorld’s guide to protecting your PC against Meltdown and Spectre if you need more help.
Will these fixes slow down my PC or Mac?
It’s complicated, but if you’re not working on intensive tasks, it’s looking like you won’t take much of a hit.
More recent Intel processors from the Haswell (4th-gen) era onward have a technology called PCID (Process-Context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications—most notably virtualization and data center/cloud workloads—are affected more than others. Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users.
“Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.”
Fortunately, a growing number of tests seem to support Intel’s contention that everyday PC users won’t see dramatic slowdowns, although storage read performance appears to take a hit. It’s worth noting that the results we’re about to cite were all conducted on CPUs released over the past couple of years—no older chips were tested.
Michael Larabel, the open-source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new Linux KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.
Hardware Unboxed—a superb PC hardware channel on YouTube—ran tests of several different application types after applying the Windows 10 patch and the biggest performance hits occurred when moving data around on SSDs, mirroring Phoronix’s findings. Many applications showed little to no performance change with the Meltdown patch applied, including Cinebench and 7-Zip, two CPU-focused benchmarks. You can see Hardware Unboxed’s findings in text format over on TechSpot.
Will my games get slower?
Nope, at least not in the limited testing performed so far.
Phoronix tested Dota 2, Counter-Strike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, and The Talos Principle on a Linux 4.15-rc6 machine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change outside the margin of error range.
Hardware Unboxed tested a handful of DirectX-based Windows games in the video linked above. With DirectX hooking so deeply into Windows, gamers were worried about a potential performance degradation there. Fortunately, Hardware Unboxed observed virtually no frame rate loss in Ashes of the Singularity, Assassin’s Creed: Origins, or Battlefield 1. Phew.
Are AMD processors affected?
Much, much less than Intel chips. All modern CPUs are vulnerable to Spectre attacks, but AMD says that its CPUs have “near zero” risk to one variant due to the way they’re constructed.
There is “zero AMD vulnerability” to Meltdown thanks to chip design, AMD says. If operating system patches exclude AMD CPUs from the new Meltdown-related performance restrictions—and Linux definitely is—the performance war between Intel’s chips and AMD’s new Ryzen CPUs may get even tighter.
That sucks! There’s nothing I can do!?
We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.