1

Today, I saw this in the news. I'm hesitant to install the fix, because I've heard it would slow down IO 50%, which is not acceptable for me.

But a guy said that the flaw allows JavaScript in the browser steal your information. Is this true? Worst case scenario for me is that any website I visit could run some dangerous JS that takes conrol of my PC. Only that would get me to install the fix.

I am not familiar with security, I just want to know actually how it affect us in the real world.

Anders
  • 64,406
  • 24
  • 178
  • 215
Mithril
  • 137
  • 3
  • 7
    I propose to close this question because of quality issues. It starts by claiming *" slow down io 50%"* without citing any sources for this (the estimates I've seen are way lower) and continues with more claims without useful sources like *"But I see a guy said..."*. The topic itself is security relevant but there are now enough questions here which ask similar things, only with more founded claims. – Steffen Ullrich Jan 04 '18 at 06:28
  • @Steffen Ullrich Because I live in China, just today I recieved many similar news about intel cpu flaw, all news are Chinese , so I think it is not good to post here. And some guys comment it is very dangrous in in news article , that's why I come up to ask a question. – Mithril Jan 04 '18 at 06:35
  • 4
    As I said, the issue behind your question is relevant but the question itself has the mentioned quality issues. Given that this is a really hot topic right now there are more similar questions here about this topic so I recommend to have a look at these. – Steffen Ullrich Jan 04 '18 at 07:50
  • 1
    I only heared the 50% number once and that was here: https://twitter.com/grsecurity/status/947439275460702208. The impact doesn't matter though since AMD isn't - really/reportedly - affected by Meltdown. – Steffen Winkler Jan 04 '18 at 14:11

2 Answers2

5

The Spectre and Meltdown attacks are about programs reading data they're not supposed to. They don't provide any way to make modifications or take control of computers.

If you're running a typical desktop system, the flaws aren't a major threat simply because anyone in a position to use them has so many other ways to do the same thing. The real risk is to cloud services and shared-hosting providers, because the attacks let one user read another user's data.

The fix to Meltdown will slow things down by 5% to 30% (depending on your CPU and what you're doing); computer games appear to be at the 5% end of things. There is no general-purpose fix to Spectre, but it's also much harder and slower to exploit than Meltdown.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 13
    Well, most desktop users run a little sandbox app called a browser that actively download and execute untrusted code from the internet. This app is often also used to do sensitive operations like online banking in the same process with other untrusted code, which makes Spectre attack very relevant. – billc.cn Jan 04 '18 at 12:09
1

Today, I found a news from Molizza: Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks

Mozilla has officially confirmed that the recently disclosed Meltdown and Spectre CPU flaws can be exploited via web content such as JavaScript files in order to extract information from users visiting a web page.

This really bad. However there is no a full mitigation now...

To hinder the attacks' efficiency, Mozilla says it reduced the precision of Firefox's internal timer functions. This is not a full mitigation, but just an efficient and clever workaround.

I think the fix patch is needed.

Mithril
  • 137
  • 3