The design flaw that enables the Meltdown and Spectre exploits to work are present in desktop and laptop computers, smartphones, tablets, automobiles, routers and other networking equipment, smart televisions, and any other devices which contain a processor with the design flaw. So far researchers have not detected any uses of the Meltodown and Spectre exploits in the wild. A Common Vulnerabilities and Exposure ID was given to the Meltdown exploit, which is CVE-2017-5754. The Meltdown exploit is not able to break out of virtual machines. However, the exploits are still able to access guest kernel memory in the virtual machine, but again, are not able to access the kernel space of the host.
Various operating systems have issued patches to prevent Meltdown exploits from occurring, however, most operating systems remain vulnerable to Spectre, which is harder to protect against. The patch for Linux works through a new Linux kernel feature called Kernel Page-Table Isolation (KPTI). KPTI is based on Kernel Address Isolation to have Side-channels Effectively Removed (KAISER), which was released in June of last year, before the Meltdown exploit was known. KAISER improved upon a 2014 update known as Kernel Address Space Layout Randomization (KASLR), which was implemented to prevent exploits of other types of kernel vulnerabilities. KPTI premiered in version 4.15 of the Linux kernel and was backported to version 4.14.11 and version 4.9.75 of the Linux kernel.
Microsoft has issued an emergency patch to stop the Meltdown exploit for many of its operating systems. The company has issued patches for Windows 10, as well as Windows 8.1, Windows 7 Service Pack 1, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 Service Pack 1. Apple has issued a patch.
Google is rolling out a fix for the exploits with version 64 of Chrome which is due to be released on January 23rd. Site isolation features are already available in Chrome, as well as in the Opera web browser. To enable site isolation in Chrome, click on the address bar and type: chrome://flags/#enable-site-per-process and then hit enter, then click Enable next to Strict Site Isolation, and then restart the browser. Google phones and tablets will receive a patch for Android, but non-Google devices running Android will have to wait for the update to be sent from the manufacturer. Apple has not commented on when it will issue a patch for Safari. Apple’s OS X has been patched, as well as iOS.
Benchmark tests taken before and after patching on Linux showed virtually no impact on performance with regard to video games. Other benchmark tests showed some performance decreases, and experts have said with certain operations on the computer a decrease in performance by 5% to 30% could be expected. Microsoft stated in a security advisory they released that their benchmark tests have shown that their patch may create a decrease in performance, however, they also stated that users may not notice any changes in performance.