2

I have a Laptop that needs replacing due to age.

I will be using this laptop for desktop use, including Office Apps, Development, Running VMs & Web Browsing. I will be using separation using Qubes/Xen, KVM or Virtualbox. Note: Laptop won't be running Windows on baremetal (may run as VM), it will run Linux or Xen/Qubes.

Should I wait until Spectre and Meltdown are fixed in hardware* or can current processors be fixed by software updates (for browser and visualization) and microcode updates?

Also please feel free to speculate (no pun intended) when laptop processors with Spectre & Meltdown fixed are expected to be released.

*- all CVEs including original 3 CVEs, 2 newer CVEs and the expected newer 8? CVEs.

  • 4
    I think this question is covered by [Meltdown and Spectre Attacks](https://security.stackexchange.com/questions/176803/meltdown-and-spectre-attacks) – Steffen Ullrich Jun 09 '18 at 12:18

2 Answers2

1

I'd personally say, buy the new laptop if you need to replace. I see multiple vendors offering protection at their own respective layers. From OEMs who provide BIOS / UEFI layer. Microsoft / others at OS layer (https://support.microsoft.com/en-in/help/4073757/protect-your-windows-devices-against-spectre-meltdown) and even browsers such as Google Chrome have started offering protection mechanisms. (https://threatpost.com/google-patches-34-browser-bugs-in-chrome-67-adds-spectre-fixes/132370/)

All in all while the vulnerability itself cannot be fully remediated at software / drivers / firmware level (although intel can theoretically take care of this at firmware but we'd all have to bear a performance brunt of upto ~30%>. Combination of patches make exploitation difficult unless you're targeted by extremely potent and determined attacker.

True fix lies at hardware level and intel has not given any updates on when it plans to do this. Although I found the following

There's a possibility, however, that it won't be Skylake-X at all, but rather Cascade Lake-X. Cascade Lake is an incremental revision to the Skylake-SP/X platform: it adds some extra AVX512 instructions, it should include hardware fixes for Spectre and Meltdown attacks, and it should support faster memory

https://arstechnica.com/gadgets/2018/06/intel-is-launching-a-28-core-enthusiast-chip-but-probably-not-at-5ghz/

Enjoy the new laptop. :)

Parth Maniar
  • 349
  • 1
  • 10
0

You should patch the os and hypervisors.

Patches should be deployed as soon they are available.

If you use the os patches it means that the OS will mitigate the attack vector.

It will not fix it because depending on your privileges you might still use the exploit.

For reduced privilege users you will be making it a lot harder to achieve the same results.

The bios / firmware update will be the ones that can fix as they will block / remove the atack vector and vulnerable instructions.

For meltdown there is already POC available that shows how you might get credentials and elevate privileges, with os patch this would be 100% fixed.

Hugo
  • 1,701
  • 11
  • 12