Looks like we are stuck with the Meltdown insecurity in Intel CPU's from the last ten years. But Spectre is supposed to be addressable. But how? In easy to understand steps would be great. It would be fantastic if a Mint update has fixed this! But are we so lucky?
Ok, first, we need to differentiate the attacks, what they can do, and who's vulnerable.
All three attacks are the based on the fact that modern CPUs engage in 'speculative execution' of instructions; basically, when a program comes to a code branch ("if this condition is true, then do this, otherwise do that"), the CPU tries to guess which branch will be taken, and starts fetching and decoding instructions for that branch. If the CPU guesses correctly, that's great; if it doesn't, then it has to flush the pipeline and start over.
As you can guess, accurately predicting program flow can have a significant performance impact.
The attacks work by taking advantage of the fact that under certain conditions, this behavior can leave behind DETECTABLE changes in system state, even though they don't actually change the program flow, or the data the program works with.
Meltdown - Affects pretty much every Intel chip made this decade (and most made in the last 20 years), Apple's ARM chips, and ARM Cortex A75-based designs. AMD CPUs are not vulnerable due to an architectural difference in how they handle the Translation Lookaside Buffer (TLB). This attack results in the leakage of kernel memory, which means an attacker could gain access to encryption keys or other sensitive data held in kernel space. It can be mitigated with OS patches. For newer Intel CPUs (Haswell and later) the performance impact will be lower than for older ones, as the OS patches can take advantage of instructions that have existed for some time but haven't been implemented until now (because they weren't seen as offering anything useful, while being painful to use). Benchmarks have shown that for I/O heavy loads (databases, server virtualization), the performance penalty can be upwards of 50%, but for MOST workloads will be around 20% or less. For the average desktop, the performance penalty is likely not noticeable.
Spectre Variant 1 - Bounds Check Bypass - All CPUs currently in use appear to be vulnerable to this. AMD believes the threat can be mitigated with an OS patch. For Intel and Apple, mitigating the threat requires changes in application code AS WELL AS OS updates. This means that POTENTIALLY EVERY PROGRAM has to be REWRITTEN with the necessary code changes. In practice, it probably isn't near that bad, but it's still not good. The performance penalty for the patch appears to be negligible.
Spectre Variant 2 - Branch Target Injection - All CPUs currently in use appear to be vulnerable to this. It's worth noting that AMD believes there is a 'near zero chance to exploit this' on AMD CPUs. Regardless, AMD and Intel have both released microcode updates and OS patches to address the issue. As above, mitigation will probably require application changes ALSO, at least for Intel and Apple CPUs. Performance impact follows a similar pattern to the Meltdown patch. Apple have released software updates.
So, net result?
Meltdown screws Intel badly. Apple gets hit on the iPhone, and ARM gets hit on the A75. I don't think the A75 is widely used yet (it was only released around May of last year), so the impact there may not be too bad
Spectre Variant 1 screws Intel and Apple pretty hard, and possibly hurts AMD some. For Intel and Apple, the issue really comes down to how many applications have to be recompiled. For AMD, it really depends on whether an OS patch is all that's needed.
Spectre Variant 2 screws Intel pretty hard. Unclear about Apple. For AMD, there doesn't really appear to be an issue, they are just being cautious.
For desktop users, the performance impacts, especially for Haswell and later Intel CPUs, should be negligible for most situations. For servers, it's really going to be a function of the workload; as you get more I/O intensive (particularly disk and network), you take a higher hit. Older CPUs are hit harder than newer CPUs.
The one bright spot in all of this (if you can call it that) is that these vulnerabilities can only be exploited by programs running locally on your computer. Unfortunately, this includes javascript, running in a browser. Fortunately, there are ways to mitigate ALL of the above attacks with changes in browser code. Firefox and Chrome have already released updates, and Apple have put out an updated version of Safari with mitigations as well (I believe MS have also update Edge and IE). Since the browser is the primary attack point for most users, this means that installing the latest version of your browser SHOULD make it MUCH harder for a malicious javascript to exploit these issues.
Also, these vulnerabilities do NOT allow someone to take over your computer. They DO, however, allow the leakage of sensitive information (passwords, encryption keys) which might be combined with OTHER attacks in some way.
BTW, ARS wrote a good piece on this, if you want to read more details:
https://arstechnica.com/gadgets/201...e-and-meltdown-patches-will-hurt-performance/