Should you be worried about Meltdown and Spectre?

Meltdown and Spectre icons

If you've been paying any attention to the news over the past couple of days then you're bound to have noticed that there's a pair of serious new computer vulnerabilities out there.

Meltdown and Spectre are critical CPU exploits that make it possible to steal passwords and sensitive data from privileged memory – including the supposedly secure kernel – with a bit of malicious JavaScript in the browser. At first it seemed that mainly Intel CPUs were at risk, but it's since become apparent most other CPUs are vulnerable too.

Are you at risk?

So are you at risk? The simple answer is that if you're using hardware made within the past 10 or so years, then yes, almost certainly. Whether you're using a PC, a Mac or an iPad Pro, if it's not patched against Meltdown and Spectre then it's a potential target.

On top of that, both Meltdown and Spectre exploit a technique called speculative execution, which boosts performance by operating on multiple instructions at once, so there's a worry that protecting against these vulnerabilities could seriously impact your computer's speed.

The good news is that this doesn't seem to be the case. Apple announced today that it rolled out Meltdown patches for both MacOS and iOS back in December, and no-one even noticed; it says that the December updates resulted in no measurable reduction in performance.

And it plans to release an update for Safari on MacOS and iOS that will mitigate against Spectre exploit techniques. Of the two vulnerabilities, Spectre is the hardest to exploit but also the hardest to protect against, and Apple expects that the Spectre patch could result in a performance hit of up to 2.5 per cent.

Protect and survive

Things could be a lot worse, then; certainly not as bad as the 30 per cent performance hits that many were expecting when news of Meltdown and Spectre first started to appear. And as well as making sure that your system, whatever it may be, is fully patched and up-to-date, you can add an extra layer of protection in the browser by enabling strict site isolation in Chrome or first-party isolation in Firefox.

However, if you're a web designer or developer then you should be prepared for Meltdown and especially Spectre to cause you ongoing grief. Cloud services are likely to be a lot more vulnerable to attacks as they're bigger and more inviting targets for hackers, and they're also more likely to be hit by performance issues as they mitigate against potential exploits, so the result for web pros could be sites that either don't run as fast as expected, or stop working altogether if critical services come under attack.

All the major online services have been quick to patch, but as we've already noted, Spectre is going to cause ongoing problems for years to come as it's so difficult to mitigate against. So be careful out there, and be ready to take action if your sites suddenly run into trouble.

Related articles: