Do we know the actual risk of Meltdown and Spectre?

There has been a lot discussion about Meltdown and Spectre on this forum and others, but I'm still confused. And I have 2 computers, and possibly 3, that are old enough that no BIOS remedy will be forthcoming so I'm going to be vulnerable to Spectre for the foreseeable future. But how vulnerable is that? I realize that no AV product is going to have AV signatures of malware exploiting Spectre until such programs are discovered and reported, and I've heard that there is no obvious identifying characteristic of programs exploiting the vulnerabilities.

On the other hand, common web hygiene will be just as good at preventing infection by Meltdown and Spectre exploiters as it is for any other malware, won't it? Somewhere I read that the most likely route for exploitation is via browsers. Is there any truth to that? Some common browsers (such as Firefox) have already released fixes.

Bottom line: how dangerous is it to run computers that will not have BIOS fixes?

It's probably dangerous. These vulnerabilities cannot be 100% fixed unless software+firmware updates are in effect. So far, no bios update for my gigabyte motherboard, so I am mitigating the issue at best.

eLPuSHeR said:

It's probably dangerous. These vulnerabilities cannot be 100% fixed unless software+firmware updates are in effect. So far, no bios update for my gigabyte motherboard, so I am mitigating the issue at best.

I support two home built PCs from 2004 having Gigabyte motherboards and there is no sign of a BIOS update yet. I don't really want to ditch two perfectly good PCs. I wonder how long the intelligence agencies have been aware of the Spectre and Meltdown vulnerabilities and have been exploiting them?

I'm not devoting energy to concern over the *latest* "crisis". As I have noted in other postings here, i was recently forced into windows 10 because my ancient XP machine cratered and was not worth fixing. Worked diligently to tame win 10 (shut down ALL updating. Period. And trimmed down all the bloat that I could.)

Have been around computers for some time...learned programming when IBM punch cards were the tools of the day.

Have not used virus protection software since 2000 or so (have my own methods for avoiding crud)

As computing/technology has progressed, I have become increasingly cautious of the tech/socio-political environment. Just look at all the authorized snooping that has evolved in the name of "keeping us safe".

Sad....and my career was as one of the "good guys"

Anywho....make your own mind up and do what you think is best. One of my buddies that I worked with latched on to a security patch (for the current crisis) for his win 10 pro machine and the patch gummed up his set-up. Took him a significant amount of time to undo it.

Meltdown can be fully mitigated at the OS-layer if separate kernel/userspace page tables are used, which looks like the route the major OSes are moving. So this shouldn't be a concern as long as you have an updated OS.

Spectre is the hard one. Assuming no hardware/microcode or OS fixes, individual apps would have to block the exploits.

Recall that these speculative execution attacks require attacker code to be running on your system. This could be in an infected executable, in which case Spectre is the least of your problems.

Or, more likely, the attack code uses some embedded scripting language like Javascript. The script compilation/execution engine in each app would have to implement the mitigations. For Javascript you can be sure that Firefox/Edge/Chrome will be updated. But for proprietary engines like Flash or VBA, or for software that uses an old version of a scripting library and won't update it, you may be out of luck. In those cases you may get some OS-level mitigations that can partially block Spectre. Aside from that you'll have to relay on anti-malware detection.

That said, you don't need to throw out your computers and go live in the woods. There are thousands of exploits found every year (~17000 CVE entries in 2017) that don't use Spectre. As long as you use standard browsing precautions, you are not really at any significantly greater risk than before.

dinosaur said:

I'm not devoting energy to concern over the *latest* "crisis"...

As computing/technology has progressed, I have become increasingly cautious of the tech/socio-political environment. Just look at all the authorized snooping that has evolved in the name of "keeping us safe".

Sad....and my career was as one of the "good guys"

Anywho....make your own mind up and do what you think is best...

And with AI on an un-stoppable ride, who knows what they'll come up with next?!
Don't think they'll use it to find solutions that would require no money spending.
To keep us worried and to corner us even more maybe...