CERT believes that the Meltdown and Spectre CPU bugs can only be fully mitigated with hardware replacements, but Intel appears to disagree. A recent statement from the company claims that updates will make PCs and servers immune.
In a press release, the chipmaker said, “Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems — including personal computers and servers — that render those systems immune from both exploits.”
It claims that by the end of the week, it will have updates for 90% of processors introduced within the past five years.
However, Meltdown and Spectre are thought to be present in processors up to twenty years old. This is due to where the flaw is embedded – in the kernel operations within a system. When a command is sent to perform any task, the CPU passes control to the kernel, which stays below the surface in processes even once the CPU takes back control. This is to ensure smoother and faster performance, but also means systems are potentially at risk at kernel level.
Are Updates Enough?
However, while the only catch-all solution is to replace the processor, researchers agree updates should be enough for most users.
Virus Meltdown's Martijn Grooten also advises users not to panic.
“Reading arbitrary snippets of memory tends to be hard to weaponize, especially at scale,” he explains. “It is worth remembering that one of the worst vulnerabilities of this decade, Heartbleed, which also involved reading arbitrary memory (though was otherwise unrelated), was never exploited at scale and rarely used in the wild.”
“Information disclosure vulnerabilities in themselves don't allow someone to execute code, which means they are not particularly attractive to most attackers.”
The bigger annoyance of the update method could be a loss in performance. The flaws arose due to a method of increasing CPU performance, which means speed will diminish without it.
There doesn't seem to be a consensus on the impact, with some reporting up to 50%, and others minimal. According to Intel, it depends on what the user is doing.
“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time,” it said.