UPDATE 1/8/2018: Intel claims that patches for Meltdown and Spectre will be coming to 90% of CPUs in the coming week. CPU performance impacts to single users have been minor at worst so far, although some cloud providers have experienced troubles with their services and pointed fingers at the bug.
UPDATE 1/4/2018: Earlier impressions were that only Intel processors suffer from a bug rendering bad actors capable of accessing sensitive information, now known as "Meltdown." Reuters is now reporting that a similar hardware issue known as "Spectre" affects both AMD and ARM CPUs, effectively putting virtually all computers and mobile devices at risk.
The actual details of this bug are quickly becoming more well-known after The Register's reporting spurred awareness. The bug is known as "Meltdown."
Intel CPUs have been using a special trick to jump back and forth between this machine code and user-level commands quickly enough to keep up the pace with the user’s demands. Unfortunately, this shortcut also leaves the door open for just long enough for a sufficiently-determined someone or something to sneak through, sift through the kernel memory, or even execute arbitrary code on the kernel level.
The deepest, highest-privileged, and most-private section of your computer is the kernel. To you, the user, the kernel is akin to a god, invisible and omnipotent as it looks down on you and answers your prayers. You can go through your life using your computer without caring so much that the kernel exists, but its existence ties the universe together.
The most devastating security holes in computer systems take this invisible and distant god and drag it down to earth. It’s just like the classic Joan Osborne song that asks “What if God was one of us…” only significantly more frightening.
Your computer’s ecosystem is divided into tiers of privilege known as “Rings.” The lower the ring, the higher the privilege. The kernel lives on Ring 0; you, the humble user, live on Ring 3. Ring 0 is the Asgard to your Midgard.
We’ve talked in October 2017 about how hardware flaws can let intruders sneak into lower rings and compromise systems in our blog post on the Thunderstrike exploit which affected Mac computers. In the case of Thunderstrike, a flaw potentially allowed access to rings even lower than Ring 0.
This Intel bug, now known as Meltdown, is probably bigger and more worthy of your concern than Thunderstrike.
Your system is more likely to be compromised. Between Meltdown and Spectre virtually all Intel and AMD processors, along with a small but significant subset of ARM processors, can fall victim to these cache-timing side-channel exploits.
And that includes the big names, not just home users. Even platforms such as Amazon EC2, Microsoft Azure, and Google Compute Engine will feel the impact.
The only fix for the bug is a more solid wall between the kernel and the user space… which prevents Intel CPUs from switching rapidly between the two rings. Patches for Windows, Mac, and Linux kernels will close the backdoor Intel CPUs have been using. Unfortunately, by cutting off the CPU from its handy shortcut, the processor’s performance suffers. Any Intel processor produced in the past decade could potentially see a performance reduction of anywhere from five to thirty percent depending on the specific model of processor. Linux users who have already patched their systems have documented these performance hits. However, the most recent updates for macOS Sierra and High Sierra do not seem to have noticeably affected CPU performance, and Intel is downplaying the effect of patches on CPU performance.
Imagine what a performance decrease of up to 30 percent could mean for large data centers such as those owned by Amazon or Facebook.
While this bug, now known as "Meltdown," only affects Intel processors, a similar vulnerability dubbed "Spectre" affects Intel, AMD, and ARM processors, effectively putting every computer and mobile device at risk. Spectre is a result of modern CPU architecture and will be much harder to patch than Meltdown, although it is also more difficult to take advantage of than Meltdown.
UPDATE 1-4-2018:Meltdown and Spectre together affect virtually all modern processors and computing devices.
WINDOWS USERS: If your PC contains certain models of AMD processor, Microsoft's latest security update may cause it to stop booting. A new patch will be available soon.
MAC USERS: The latest updates to Sierra and High Sierra will protect you from Meltdown. Install the updates as soon as you have the opportunity. So far the patch seems to avoid any significant performance hits.
LINUX USERS: Instructions on applying a kernel patch are available here.
For more information on Spectre and Meltdown, visit MeltdownAttack