Spectre / Meltdown vulnerability : an industry-wide security challenge

You probably heard of the Spectre / Meltdown vulnerability. It's also known as the INTEL KAISER / KPTI vulnerability.

There is presently an embargoed security bug impacting apparently every Intel processor produced for the last 15 years. It allows normal user programs to steal data currently processed on the computer. Suffice to say, this is not great. You can read Intel's press release here.

Intel is currently unable to fix the flaw with a firmware update, you'll have to install a software mitigation

Urgent software mitigation development is being done for all current operating systems and virtualization platforms such as Xen and VMWare. 

Please update your computer right now, I'll wait ...

• Microsoft released today a bug fix KB4056892 (OS Build 16299.192). Please ensure that all your windows based computer run Windows 10 version 1709 in order to be protected. You can expect some issues with your antivirus and the bug fix, be prepared.
• MacOS has been patched since version 10.13.2, according to operating system kernel expert Alex Ionescu. Of course, Apple require a NDA to share the information and more fixes appear to be coming in 10.13.3. Please ensure that all your Mac run MacOS 10.13: High Sierra in order to be protected.
• Check your Linux preferred distribution for a patch
• Microsoft's Azure service has a maintenance period scheduled January 10, 2018. You can expect every cloud providers to update their ecosystems.
• ARM based computer such as the iPhone and iPad are not vulnerable

NO REST FOR THE WICKED

Exploiting the vulnerability allows malicious programs (e.g. Meltdown) to gain access to higher-privileged parts of a computer's memory. Spectre is a similar threat that access data from the memory of other applications. According to several researchers, you can exploit Spectre on Intel, AMD and ARM processors. Damn.

Of course, the solution is not to replace all your current Intel processors. The software fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation (KPTI).

No matter the operating system, the software mitigation will incur a performance hit on Intel based products. The effects are still being benchmarked, however we're looking at a ballpark figure of 3 to 30% slow down, depending on the task and the processor model. 

Recent Intel chips with Process-Context Identifiers (PCID) reduce the performance hit (e.g. Intel Westmere CPU launched on January 7, 2010 or a more recent architecture).  Information about AMD based products is inconclusive.

Don't panic, everyone is in the same boat. Untested bug fix tend to reduce computer availability, be cautious and stay alert for unexpected side effects. Video graphic driver and antivirus are the usual suspect.

Remember, anybody who tries to tell you how this is going to end, today, is selling you something.