There is lots of information circulating about the new exploits of computer chips from Intel and others announced in the past few days. Some of it has been accurate, and some has been sensationalist and overblown. There is much technical information with high level of details available for both\u00a0Meltdown and Spectre, so I won\u2019t get into a lot of technical detail here. Rather, I\u2019ll focus on the higher-level issues affecting business and personal computer users.\n+RELATED: Intel\u2019s processor flaw is a virtualization nightmare; Red Hat responds to the Intel processor flaw+\nFirst, to be clear, these exploits affect all the major computer chip architectures. The major chip makers \u2014 AMD, ARM and Intel \u2014 have decided to work together to mitigate the potential effects of a common enemy that affects most modern computer chips \u2014 a good sign for future industry collaboration. And all the major software vendors of Linux, Microsoft for Windows, Apple for macOS, and virtualization software suppliers such as VMware and Citrix have all collaborated to mitigate this threat.\n\nBut what are the threats? There are potentially three different threats exposed in the disclosure, collectively described by Meltdown and Spectre.\nMeltdown and Spectre are not exactly the same, but they are related and use a similar exploit mechanism to gain access to computer data. Nearly all modern chip architectures from the major suppliers (Intel, AMD, ARM) are affected, and this includes nearly all modern computer systems from data center to PC to smartphones. The problem affects nearly all operating systems, such as Windows, Linux, macOS and even Android, as well as virtualized environments such as VMware and Citrix. But it doesn\u2019t affect lower-level or real-time operating systems (like QNX) that don\u2019t use this particular feature, nor in lower-level controller chips used for the Internet of Things (IoT).\nBasically, the exploit involves reading memory locations that are supposed to be protected and reserved for use by the computer kernel. It exploits an architectural technique known as \u201cspeculative execution\u201d which is a key feature of things such as look-ahead instructions and data, which significantly improves computer performance.\nWith a potential to read kernel data, what\u2019s the real threat level behind Meltdown and Spectre? Let\u2019s look at what it is, what it\u2019s not, and what you should do about it.\nWhat are Meltdown and Spectre:\n\nMeltdown and Spectre are exploits, not chip design flaws, operating against computer architecture that\u2019s been designed into chips for decades. They access protected areas of memory to potentially decode and read. While this may contain sensitive information such as passwords, it also may simply be variable instructions and data from application processes that are not of much value.\nThey have the potential to read protected memory locations used by the device and applications (including browsers) that store information in the kernel memory, including potentially sensitive data. They do not read memory in mass storage devices such as disk drives. But it may not be possible to even read the captured data in real time, as it requires understanding the relationship between data locations, which are highly variable and actual data content, and requires a good amount of processing\/decoding.\nThey must be run locally on the machine and must be loaded through some form of application. Therefore, it\u2019s not easy to do this via a \u201cdrive by attack\u201d that does not launch a machine-specific application targeted at this vulnerability.\n\nWhat they aren't:\u00a0\n\nThey do not allow takeover or modification of machines and operating systems, so it is not a traditional malware actor. This is important, as it does not expose the machine to any modifications of its operations or \u201chijacking.\u201d\nIt is not an easy thing to do, as some have suggested. It takes a good deal of effort to access and discover the actual content of memory and make it meaningful, as mentioned earlier. For this reason, this is likely not a \u201chigh volume\u201d approach to malware like more traditional approaches that take over the operation of the machine for nefarious purposes.\nThey do not allow data access and retrieval of stored data sets on disk drives, (e.g., databases) like many normal malware attacks would, nor do they allow machine takeovers for DDoS attacks. So, the actual risks to corporate or personal data are much more limited than typical of malware attacks that capture full content of mass storage systems.\nThese aren't things smaller-scale computers, like PCs and smartphones, need to worry much about, as the amount of effort involved would highly favor exploitation at large data center machines rather than personal machines. It\u2019s about \u201cbang for the buck\u201d for the hacker.\n\nWhat\u2019s the risk?\nTo date there are no known uses of the exploits in the wild. And it\u2019s not as easy to deliver a payload to a machine to use these exploits, as it is with more common malware that\u2019s sent via an email or errant application download.\nFurther, all of the major OS vendors are patching their software to dramatically limit the ability of these exploits to cause harm, and firmware is being updated by the chip and machine vendors. So, while there is a potential real risk, in my opinion, it\u2019s not as great as many of the more traditional malware attacks we\u2019ve seen in the recent past.\nWhat should you do?\nAll the major OS and cloud companies are working on fixes for this vulnerability and have, or are in process of, providing software updates. It may be impossible to eliminate all risk without turning off some of the fundamental features of modern computers, such as look-ahead functions, which isn\u2019t practical.\nEven with the software patches, most users won\u2019t see a major impact on their programs, as they affect only memory access to the kernel system, and many apps use that feature only occasionally. Speculation that the patches will cause a 30 percent decline in performance is, in my opinion, highly overstated. I estimate for the average user on a PC, the performance degradation may not even be noticeable or will likely be in the 3 to 5 percent range.\nFor large data centers where there are many operations to the kernel memory, the impact may be somewhat greater, but I still estimate it will be well under 10 percent. Although for very large data sets, that may be negatively impactful.\nBottom line\u00a0\nWhile these new exploits are troublesome, as are all potential security risks, users and organizations affected should not panic. Many of the fixes are already being implemented as software\/firmware upgrades and should mitigate the vast majority of any potential exploitation.\nFuture chips will also incorporate more protections against these exploits. But as with all major current and future architectures enhancements, there is no guarantee that everything will be 100 percent secure even though the chip, OS and app vendors do all they can to protect systems.