The Meltdown and Spectre flaws reported last week affect millions of computers, tablets and phones worldwide. Processor and device manufacturers have rushed to respond with security updates to address the problems.
The Meltdown security flaw affects millions of Intel chips from the past decade. It creates an unwitting backdoor for programs or web services to access portions of a computer that can contain secure data. Were the flaw to be exploited, it could give hackers access to vast reams of personal data, such as login details and stored passwords.
A separate security flaw, named Spectre, has also been identified. This one doesn’t just affect Intel-branded processors, but also chips from AMD and those based on ARM designs. In short, ‘all the rest’. This means every tablet and smartphone (including iPads and iPhones) is vulnerable.
Some fixes have been released, and more are on the way. But issues caused by the fixes have already been reported, and more are likely, including some potentially drastic slowdown for Windows computers.
Which? Tech Support – friendly one-to-one tech and computing advice from Which?
Intel fixes on the way
Intel needs to release firmware (also known as ‘microcode’) updates to its processors to protect against the security flaws. These updates should be available within the next week, according to Intel’s CEO.
The process can only be followed by downloading an in-depth update from your computer’s manufacturer. Some of these may be downloaded automatically using update software, but many computers won’t do this: see the bottom of this article for more information from specific PC manufacturers.
Windows security fixes and slowdown
Microsoft has released security patches for almost every version of Windows it currently supports. However, the extra Intel microcode fixes (see above) also need to be installed, and it’s these – in combination with Windows updates – that are likely to lead to slowdown on devices.
Microsoft has revealed that performance for millions of computer users will be noticeably worse following the release of security patches to protect PCs against an Intel processor security flaw.
In a blog post on Microsoft’s website, Windows and Devices vice president Terry Myerson revealed that different combinations of hardware and software will be affected by the security patches in different ways.
- Windows 10 devices released in 2016 or later: Microsoft says users will experience ‘Single-digit [percentage] slowdowns’ that most won’t notice.
- Windows 10 devices released in 2015 or earlier: If you updated an older PC to Windows 10, Microsoft says some people will notice ‘more significant slowdowns’.
- Windows 7 and 8 devices released in 2015 or earlier: If you didn’t upgrade to Windows 10, you’ll experience a much more significant performance drop on these machines. Microsoft says ‘most users’ will feel the difference here.
Note: All the above is based on a combination of Windows and Intel ‘microcode’ updates. Since the microcode update hasn’t yet been issued to Intel chips, anybody who’s downloaded the fix via Windows Update will not yet notice a significant performance drop.
Intel, meanwhile, has published preliminary data on how it expects its microcode update to affect things, offering a little more detail. This .PDF document shows that new, 8th-gen Core chips will experience a 6% slowdown, a 7% slowdown on 7th-gen chips and an up-to-8% slowdown on 6th-gen chips. However, these numbers are based on high-end desktop chips and it’s not yet known how more mundane laptop chips will fare.
Only computers running Intel processors will be affected by these performance drops. If you’re running an AMD chip, you won’t be affected. But it’s not all good news for AMD.
Security updates that were distributed to all Windows systems have left some older AMD computers unable to boot into Windows. If you’ve been affected by this, visit this page on the Microsoft support site for further information. In a statement to Which?, an AMD spokesman said the update has been paused, and the two companies are investigating.
‘AMD is aware of an issue with some older generation processors following installation of a Microsoft security update that was published over the weekend,’ the statement said. ‘AMD and Microsoft have been working on an update to resolve the issue and expect it to begin rolling out again for those impacted shortly.’
Apple security fixes – no reported slowdown
Apple says that its updates to its iOS (iPhone, iPod and iPad) macOS (MacBook, iMac, Mac Pro and Mac Mini) and tvOS (Apple TV) have not resulted in any reductions to performance.
In a statement, Apple said: ‘Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS.’
Linux security fixes available
If you’re running Linux, security patches are available. But you’ll need to ensure your kernel is up to date. This varies by Linux distribution version, however, and there are many dozens of these currently in use.
Systems running Linux kernel 4.14, 4.4 and 4.9 also have patches available.
Android fixes coming in waves
Google has included Spectre fixes in its latest Android security patches. However, the Android operating system is more complex: Samsung has its own take on the OS, as does Amazon, for instance.
Google’s ‘core’ version of Android, used on Google Nexus phones and tablets, has security fixes already. But, further patches will rely upon your phone or tablet’s manufacturer to make these updates available.
If you’re running an older device, it’s possible that you won’t even get an update that can fix this flaw. We’re monitoring this situation to see if consumers may have a case against their device’s manufacturer or the retailer they purchased from.
Google has published a list of Chromebooks that are protected, and those that aren’t. You can view it here. It’s a complicated table, but if the column labelled CVE-2017-5754 mitigations (KPTI) on M63 for your model says ‘yes’ or ‘not needed’, either your device has an update available (or has already been updated) or does not need an update. If it says, ‘no’ check the column to the right to see if an update is coming. If your model says ‘EoL’ (end of life), an update won’t be coming at all. You’ll have to be more vigilant about the sites you visit, but it does not mean your’re under imminent threat.
How can you protect yourself?
There’s no need to panic, as neither of these flaws has been exploited. The Meltdown risk is close to being resolved (although resulting performance issues are another matter).
Although Spectre is a more complex issue to fix, the core risk can be avoided by only installing apps from the official app stores. Both the Apple App Store and Google Play Store are vetted by Apple and Google respectively to sift out potentially malicious apps.
Additionally, keep up the usual safe practices of using your computing devices. Don’t open email attachments from unknown senders and don’t click links to websites that you don’t trust.
You should also keep your device up to date so you’re ready for any security patches, and consider installing anti-virus software. You should also check Microsoft’s support website for advisories if you’re running Windows.
How to check your processor type
If you’re running a Windows PC, to check to see whether you have an Intel processor, follow these steps:
To open this, click Start and type system into the search box, then click the System or System information link that appears.
If you don’t see a search box, this means you’re probably using Windows XP. To check your processor type, click Start, then right-click My Computer and select Properties. Microsoft hasn’t specified whether it is providing a patch for XP.
Additionally, you can click on the links below to check whether your PC’s manufacturer has issued an update: