Not good at all, but since neither of us uses
any cloud technology, we're at less risk from Meltdown than many other users, and beyond the cloud aspect, the usual common sense rules of surfing appear to be adequate protection in the absence of a patch from Apple. (If the fix is
really a 20-30% machine slowdown, I suspect that many users, myself very possibly included, will ignore it.)
Spectre, on the other hand, isn't described in sufficient detail for me to even begin to assess in what way I may be at risk, so I won't worry about it until Apple tells me that I need to worry.
This quote is laughable!
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,†the company said in a statement. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.â€
Quite bizarre...totally devoid of logic, and not the tiniest bit reassuring.
I haven't fully read-up on the problems yet, but it looks like Google identified the problem some time ago (at least several months?) and notified intel but didn't get much of a reaction. Google immediately started taking steps to protect against the problem.
It sounds like an "information leak" problem. True, it doesn't let you
modify things, but it's a bit like the web bug recently that was allowing web access to snatch random sections of computer memory, hoping to stumble on something critical like a password stored in ram. This is a somewhat similar issue that allows a process to predict what another process is doing. So saying it can't "corrupt, modify or delete data" isn't very consoling, because if it can leverage that to crack a privileged password,
ALL of those things can happen. I think it's a bit deceptive to say that's not a risk - it's not a
direct risk, but it certainly is an
indirect risk!
What it boils down to is that a program written with very well-designed security can be circumvented due to a flaw in the processor, and there's not a lot the program can do to defend itself. The OS will even have a difficult time mitigating this flaw.
It doesn't look like an easy thing to exploit, but that just means it will take longer for exploits to appear in the wild, and the "state actors" will likely be the first to use it. (
if they're not already using it) Eventually the exploit kits will have modules built into them to make it easy for novices to leverage them in an automatic way.
It all comes down to the fact that programmers have to make some assumptions when writing a program. Where security is concerned, they have to make specific assumptions about what information is protected and what information is available to others. (regardless of how unlikely it is) So how much of a problem this causes depends greatly on the assumptions the programmer chooses to make (or HAS to make) when writing the program. It's going to be very hit-or-miss as to how big of a threat this bug is.
