Well - if that is as bad as it implies, it is pretty terrible. Seems to effect every hardware platform on all operating system. In a nutshell, it is a problem caused by Speculative Execution - which is where the computer does tasks that are not requested in case they are requested and thus improves speed.
My question would be: How are they fixing it? If it is just to switch-off features that improve performance to make the system safer, then how much of a performance hit would be felt. The report says performance could be hit by 30% (seems excessive).
i believe the intent is to patch it in the kernel as you can’t patch the processors, and yes it’ll involve taking a performance hit of some of whatever you gain from speculative execution (entirely task dependent). They’ve known about it for a good while but the details are supposedly kept under wraps to keep everyone safe, until a suitable patch Tuesday has passed. How complex a kernel update is is an issue for the OS engineers and it’ll vary depending on the OS.
If you’re going to be affected, you probably already would have been. There is other stuff already in there to make something like this difficult to exploit.
If you read the ARS article @Ronin linked it says in there that these patches will likely not affect the average user since the average user either wouldn’t be using intensive applications (Specifically applications that have a very high volume of Kernal calls) or would just be gaming which apparently isn’t affected. It says that when the patch is pushed out to all, it will be opt-out for non-enterprise users.
One of the big places at least the Intel patch effects is running VMs so @adrock may well see some impact given the nature of your work, @n0tch too in the same regard and maybe @Jester dependant on the number of VMs you run. Even then, the worst prediction I’ve seen is cutting kernal calls from 6mil to 2.5/3mil which seems like it would hit industrial scale VMs (Amazon, Google, etc) far more than those who aren’t running VMs on such a massive scale.
The full scale and nature of the flaws aren’t even fully public yet, but the ARS article descibes the ‘Meltdown’ flaw in decent detail and highlights why that flaw is at present confined to Intel CPUs and some ARM chips but not AMD (at least not yet).
After reading the ARS article, I figured that this would effect me more with regard my servers that I own that are both dedicated or cloud based.
From a performance point of view on my desktop machine, I figured that gaming wouldn’t be too effected until I saw that report by @n0tch - Nearly a 10% framerate reduction on R6 Siege… that’s pretty heavy. Will effect servers too for games like A3 as well I guess.
From a security point of view, I guess the biggest vulnerability in my eyes is the ability to break out of a VM environment on a server… that’d be devastating - but from a home PC point of view, having your machine compromised and being infected to be used as part of a botnet.
Well, of course… because they all use Intel or ARM processors.
ARM processors are the fun one in this whole dilemma - because they’ll be in ‘things’ that aren’t on the face of it ‘a computer’ - so intelligent devices… like your Amazon Echo (not sure if the echo is effected, just an example).
Of course, these devices need to use Speculative Execution to make them vulnerable - but if they did, i’d consider them more of a concern that a popular computer or phone brand that’ll be quickly patched.
DigitalOcean, who I use to host ZiiP currently seem to be on top of it. I’ll be doing manual updates of the linux OS shortly as good practice, but I believe the droplet should be protected as we are not directly linked to the hardware.