Do we know the actual risk of Meltdown and Spectre?


  1. Posts : 490
    Win10 x64 Pro -2 desktops, 1 laptop
       10 Jan 2018 #1

    Do we know the actual risk of Meltdown and Spectre?


    There has been a lot discussion about Meltdown and Spectre on this forum and others, but I'm still confused. And I have 2 computers, and possibly 3, that are old enough that no BIOS remedy will be forthcoming so I'm going to be vulnerable to Spectre for the foreseeable future. But how vulnerable is that? I realize that no AV product is going to have AV signatures of malware exploiting Spectre until such programs are discovered and reported, and I've heard that there is no obvious identifying characteristic of programs exploiting the vulnerabilities.

    On the other hand, common web hygiene will be just as good at preventing infection by Meltdown and Spectre exploiters as it is for any other malware, won't it? Somewhere I read that the most likely route for exploitation is via browsers. Is there any truth to that? Some common browsers (such as Firefox) have already released fixes.

    Bottom line: how dangerous is it to run computers that will not have BIOS fixes?
      My ComputerSystem Spec

  2.    11 Jan 2018 #2

    It's probably dangerous. These vulnerabilities cannot be 100% fixed unless software+firmware updates are in effect. So far, no bios update for my gigabyte motherboard, so I am mitigating the issue at best.
      My ComputerSystem Spec

  3.    11 Jan 2018 #3

    eLPuSHeR said: View Post
    It's probably dangerous. These vulnerabilities cannot be 100% fixed unless software+firmware updates are in effect. So far, no bios update for my gigabyte motherboard, so I am mitigating the issue at best.
    I support two home built PCs from 2004 having Gigabyte motherboards and there is no sign of a BIOS update yet. I don't really want to ditch two perfectly good PCs. I wonder how long the intelligence agencies have been aware of the Spectre and Meltdown vulnerabilities and have been exploiting them?
      My ComputersSystem Spec


  4. Posts : 9
    windows 10 home edition
       11 Jan 2018 #4

    alfred e neuman - "what - me worry ?"


    I'm not devoting energy to concern over the *latest* "crisis". As I have noted in other postings here, i was recently forced into windows 10 because my ancient XP machine cratered and was not worth fixing. Worked diligently to tame win 10 (shut down ALL updating. Period. And trimmed down all the bloat that I could.)

    Have been around computers for some time...learned programming when IBM punch cards were the tools of the day.

    Have not used virus protection software since 2000 or so (have my own methods for avoiding crud)

    As computing/technology has progressed, I have become increasingly cautious of the tech/socio-political environment. Just look at all the authorized snooping that has evolved in the name of "keeping us safe".

    Sad....and my career was as one of the "good guys"

    Anywho....make your own mind up and do what you think is best. One of my buddies that I worked with latched on to a security patch (for the current crisis) for his win 10 pro machine and the patch gummed up his set-up. Took him a significant amount of time to undo it.
      My ComputerSystem Spec

  5.    11 Jan 2018 #5

    Meltdown can be fully mitigated at the OS-layer if separate kernel/userspace page tables are used, which looks like the route the major OSes are moving. So this shouldn't be a concern as long as you have an updated OS.

    Spectre is the hard one. Assuming no hardware/microcode or OS fixes, individual apps would have to block the exploits.

    Recall that these speculative execution attacks require attacker code to be running on your system. This could be in an infected executable, in which case Spectre is the least of your problems.

    Or, more likely, the attack code uses some embedded scripting language like Javascript. The script compilation/execution engine in each app would have to implement the mitigations. For Javascript you can be sure that Firefox/Edge/Chrome will be updated. But for proprietary engines like Flash or VBA, or for software that uses an old version of a scripting library and won't update it, you may be out of luck. In those cases you may get some OS-level mitigations that can partially block Spectre. Aside from that you'll have to relay on anti-malware detection.

    That said, you don't need to throw out your computers and go live in the woods. There are thousands of exploits found every year (~17000 CVE entries in 2017) that don't use Spectre. As long as you use standard browsing precautions, you are not really at any significantly greater risk than before.
      My ComputerSystem Spec

  6.    14 Jan 2018 #6

    dinosaur said: View Post
    I'm not devoting energy to concern over the *latest* "crisis"...

    As computing/technology has progressed, I have become increasingly cautious of the tech/socio-political environment. Just look at all the authorized snooping that has evolved in the name of "keeping us safe".

    Sad....and my career was as one of the "good guys"

    Anywho....make your own mind up and do what you think is best...
    And with AI on an un-stoppable ride, who knows what they'll come up with next?!
    Don't think they'll use it to find solutions that would require no money spending.
    To keep us worried and to corner us even more maybe...
      My ComputerSystem Spec


 

Related Threads
Read more: https://support.microsoft.com/en-us/help/4073757/protect-your-devices-against-spectre-meltdown See also: Windows Client Guidance against speculative execution vulnerabilities - Windows 10 Forums Understanding performance impact...
I am running FCU Win 10 Pro on a MSI P35 Neo F v1 motherboard with Core 2 Duo E8400 CPU. I have ran the MS controlsettings script which informs me I am protected from Spectre by Windows Update but not Meltdown without a BIOS/Microcode update. As...
https://www.howtogeek.com/338801/how-to-check-if-your-pc-is-protected-against-meltdown-and-spectre/ Curious if anyone has run this particular script having followed the directions in the article. I am modestly comfortable running PowerShell but...
Source: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems Microsoft Secure
Source: Meltdown and Spectre: what you need to know - Malwarebytes Labs | Malwarebytes Labs See also: Windows Client Guidance against speculative execution vulnerabilities - Windows 10 Forums
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 14:50.
Find Us