This answer is an attempt at addressing simply the main concerns. The details here might not be exemplary accurate, or complete. I'll try to link to more detailed explanations when possible.
What is speculative execution and what does it do?
Speculative execution is a feature of modern processors that comes as an optimisation. To allow for the parallel treatment of instructions into the processor pipeline, instructions can be processed ahead of time by using techniques such as branch prediction, value prediction or memory prefetch. Instructions can then be executed out-of-order.
This is a way to gain time by predicting correctly what happens next, instead of keeping the processor idle. When the prediction fails, the instructions are rolled back.
What is the difference between Meltdown and Spectre?
Meltdown exploits are globally easier to implement than Spectre.
Meltdown takes advantage of memory reads in out-of-order instructions, Spectre acts on the branch prediction mechanism.
Spectre allows for cross/intra process memory disclosure, Meltdown allows disclosure of kernel memory to the user-space processes (normally not accessible).
Meltdown has a known software mitigation.
Both rely on a cache side-channel attack, which is a measure of timing differences when accessing certain blocks of memory to deduce the information otherwise unknown.
How does Meltdown work?
In a nutshell, Meltdown works by asking the processor to load memory the user-space program should not have access to. Memory is read in an out-of-order fashion and put into cache. Using a side-channel attack (execution time measurement) on the cache, it is possible to infer the value of that memory location.
How does Spectre work?
Spectre works on a different level and does not allow access to kernel-space data from user-space. In this attack, the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result (if -> true), that results in asking for an out-of-bound memory access that the victim process would not normally have requested, resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way, memory belonging to the victim process is leaked to the malicious process.
How do I protect myself?
Update your operating system and/or hypervisor.
The main operating system distributors already release patches to implement the KPTI/KAISER behaviour. This is a means to reduce the attack surface by removing the user memory mapping of the kernel that are not strictly necessary for the processor to function.
Microcode (firmware) updates are likely to be release at some point.
Are the KPTI/KAISER patch sufficient to protect my computer?
No. And it only covers Meltdown.
The problem lies in the architecture design of the processors. To solve the problems completely (or even partially in the case of Spectre), at least a firmware update will be necessary. It is also possible that processors will have to be replaced by more recent models without this design flaw.
The patch is claimed to induce a loss of performance, is it true? How much does this mean?
Yes, but the loss incurred is dependent of the software workflow. Claims are it could range from 5% to 30% loss, depending on how system call reliant your software is. Benchmarks with high kernel-to-user space transitions, such as databases, have been reported to be the most affected.
This is still undergoing investigations, preliminary reports have been made (see links).
However, since impacts vary by application, you should test the performance impact in your environment rather than relying on generic benchmarks.
Preliminary results (independent??):
Official announcements:
Can I/Should I disable the new patch if I worry about performance losses? What are the risks?
No. You can, but it's definitely not recommended.
First of all, if you're managing data from others, you would make your clients vulnerable to data theft.
Then, the performance losses still have to be properly evaluated and are highly dependent on your specific workflow. It's not a straight down 30% in performances.
Should you disable KPTI, you run the risk of having your confidential data leaked.
Which platforms and which CPU are vulnerable?
Most of the Intel CPU are vulnerable to both attacks. AMD CPU seems to be only affected by Spectre. Some ARM Cortex processors are affected, while all other ARM processors are not. PowerPC processors in the POWER 7, POWER 8, and POWER 9 families are affected, and others may be.
(see links for details).
I am running a Virtual Machine/Containers, to what extent am I vulnerable?
As per Steffen Ullrich's answer
- Meltdown attacks do not cross VMs, only leaks kernel memory to local processes.
- Spectre can work across VMs.
Also, from Steffen again, Meltdown and Spectre works with containers, as containers relies on the host kernel.
Can I detect Meltdown/Spectre attack on my computer?
It's very difficult, if even possible to.
Meltdown and Spectre both uses a designed property of the CPU that is triggered by innocuous programs all the time, making malicious programs difficult to tell apart from benign programs.
Are these attacks a remote code execution vulnerability?
No they aren't.
To be able to apply this attack, the attacker need to be able to execute code on the target host. Note however that if these are combined with other attack vectors, for example file upload or cross-site-scripting exploits, then there is a possibility of executing them remotely.
Do I need to patch my software/website?
In an ideal world, no.
In reality, some browser vendors already have implemented decrease in time accuracy measurements to mitigate the side-channel attacks. The KPTI should already provide a fair enough fix for programs using native system calls.
Can I be affected while visiting a website?
Yes, there's already a proof of concept of a Javascript exploit for Spectre (only).
Can you explain this with an image?
No, but Randall Munroe can:
[Source XKCD : https://xkcd.com/1938/]
