I’ve been trying to read up on this subject, but man the information out there can get overwhelming fast. I’m more of a software guy, hardware is not my expertise.
So please explain in easy to understand terms:
What should I do about these flaws I mentioned? I’m on an Intel ASUS laptop.
Also, I want to buy another laptop at the end of the year. Should any of this affect my buying decisions? Is every computer affected?
You can’t do anything about them, because you can’t make your own CPU chips. (This is a practical limitation, there isn’t any physics preventing you from making a CPU chip, but it’s super difficult and expensive.) You cannot buy a laptop that’s immune to the discovery of new flaws like these, though a new laptop design is likely to include protections against the ones that have been discovered.
To avoid the effects: A) keep evildoers from having physical access to your laptop; B) Only run programs that come from reliable sources (aka not the Internet unless you validate the binaries); C) Don’t run scripting languages in your web browser. It would also be a good idea not to be a terrorist or so super-rich that you’re a target for well-resourced evildoers.
The cool things about these ways of avoiding malware, it works on a large spectrum of malware tactics, not just the chip exploiting ones.
They’re caused be design flaws in the hardware. Namely in the way certain processor components access memory and handle simultaneous multi-threading. It allows attackers to peak at what the processor is working on. Hence why all the software work arounds for it are impacting performance. Because they are essentially bypassing the flawed parts of the chip.
It’s sort of like getting a flat tire in your car, versus the GM ignition switch issues. One’s an easy fix, the other involves the entire part to undergo a complete redesign.
All processors are affected by Spectre to varying degrees. Meltdown is specific to Intel and IBM POWER processors, while Zombieload only affects Intel.
The best way to mitigate it right now is to use AMD or ARM processors, which aren’t as severely effected. I believe AMD has fixed Spectre in their upcoming Zen 2 microarchitecture. Intel is working on fixes for their upcoming Ice Lake microarchitecture, but the release date for that hasn’t been announced AFAIK.
Since it is such a low level issue though, I don’t think consumers have much to worry about. The guys who are actively exploiting these issues will be going after the big iron. Corporate servers and what not to steal credit cards and other data.
Unless you’re a multinational corporation with millions of credit card details and other PID, then you don’t, as nobody is going to spend the time executing them on your computer.
I believe in basic terms they make use of speculative execution. Which essentially means that in reality when your program contains an if statement, the processor will guess the possible result of the if statement (matches the if or not, the “or not” could be else, elif nothing, etc)
The processor will then start to execute that path in parallel with the if. If it was right, it saved time, if not, it didn’t cost any more than if it waited.
The processor has gotten pretty good at guessing so this process is used a lot. Though more in intel CPUs with this bug.
In terms of what to do, stay updated. The updates may affect performance a little, depends on the chip and particular style of program. E.g. hard disk access is more affected.
If you were planning to get a new machine make sure you look at benchmarks that include the new patches. Consider an AMD machine instead maybe.
A major issue with these bugs is that speculative execution is baked into the chip and so cannot be easily changed with firmware updates