I understand these are hardware vulnerabilities related to processor design and unintended side effects of speculative execution. Of the two, Meltdown is easier to fix, and can be (largely) addressed by OS updates. There are two variants of Spectre, making it a class of attack more than a specific vulnerability. While Spectre can be mitigated through OS and browser updates, it requires BIOS / UEFI firmware updates to fully address. Both Meltdown and Spectre put personal data at risk, allowing an attacker to extract information from system memory [e.g. passwords, credit card details], really anything that has not been cleared from the system cache.
My question is: do Meltdown and Spectre require malicious code to execute on the target machine in order to work? I understand that traditional security software such as anti-virus, etc. will not recognize nor protect one from Meltdown and Spectre. And no system is 100% secure and fool-proof, but if one exercises sound security practices including keeping browsers and other software updated, using a multi-layered approach of anti-malware, anti-exploit, and firewall software ... should one be reasonably protected from Meltdown & Spectre without the specific patches?
The reason I ask is: I have an older system originally purchased spring of 2012. My motherboard, ASUS Rampage IV Extreme, apparently does not yet have a BIOS / UEFI update to address Spectre. Also, I am on Windows 10 and have the patch addressing Meltdown, but I do note that the system is noticeably less responsive... One needs to decide between protection from Meltdown vs system performance. Given the seriousness of the vulnerability [potential identity theft], it would seem foolish to choose anything other than the best protection. But I don't know how great the risk is if one decides to disable the patch while maintaining otherwise sound security practices.
I do know malicious code is usually insidious, often relying on social engineering to induce the user to say temporarily disable their AV, or escalate privilege to admin, etc. There are also malvertising and forced downloads, etc. It is difficult to 100% avoid allowing malicious code to run.
I would appreciate any feedback. Thanks!
Edited by Oxonsi, 09 May 2018 - 12:50 PM.