As the chip vendors wrestle to get their arms around the Meltdown and Spectre vulnerabilities, we\u2019re slowly determining the exposure of AMD and ARM to the exploit. Intel, unfortunately, is totally vulnerable. With AMD and ARM, though, it gets complicated.\nFirst, let\u2019s go over the Spectre exploit, which is a second class of attacks similar to Meltdown, the one we all know. Like Meltdown, Spectre exploits speculative execution in order to root out information from a CPU\u2019s cache. Spectre is different because of how it runs.\n\nWhile Meltdown is based on a specific implementation of speculative execution, Spectre exploits a risk to speculative execution that requires more work to exploit but is also considered harder to mitigate. Because it\u2019s more obscure and arcane, it\u2019s not as well understood. That\u2019s why Meltdown is considered the bigger risk.\nTo reiterate, speculative execution is a form of high-performance execution in modern CPUs by making what is essentially an educated guess on what the CPU will be told to do next, rather than wait for the instruction. Intel has been doing this for decades, but AMD has not. AMD doesn\u2019t do what\u2019s called branch prediction.\nIt\u2019s important to remember that Meltdown and Spectre don\u2019t allow malicious code into your computer to destroy data or hard drives. It is a read-only vulnerability. Of course, that\u2019s still bad. It means sensitive data in memory can be stolen. But you don\u2019t need to fear your database being trashed, just read.\nThe risk to AMD processors\nAMD issued a statement on Meltdown and said it is potentially vulnerable to only one of the three variants of Meltdown, but no one has demonstrated an AMD vulnerability as yet. This applies to both the new Epyc server processor and older Opteron server chips for the half dozen customers still using them.\nThe risk to ARM processors\nWith ARM, it gets complicated. The company has published a list of cores at risk. ARM has three types of cores \u2014 Cortex-A, Cortex-M and Cortex-R.\nCortex-M is an embedded microcontroller used in Internet of Things (IoT) devices and a 32-bit processor, so it has no exposure.\nCortex-R is also an embedded controller used in real-time applications, such as cars. Those are used in closed systems and are not prone to attack, although ARM said they are at risk of exposure.\nOnly the Cortex-A line has exposure, and not all of the chips are at risk. For example, the Cortex-A53, which is the most widely used processor in smartphones and tablets, is not at risk. The A55 is also clear. But, again, it gets complicated. The iPhone, from which the Ax processor line is derived, used the A53. But Apple did a lot of work to improve performance and has pushed out an update to iOS in version 11.2.2.\nWhat about server vendors?\nAs for the server vendors, it\u2019s a bit hard to determine Qualcomm\u2019s exposure. Centriq is based on the ARMv8 design, but there are a lot of v8 designs, both in 32-bit and 64-bit derivatives. The Centriq core, code-named Falkor, does do branch prediction and out of order execution, so there is a good chance it does have exposure.\n"We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available," the company said.\nAs for Cavium, its chief competitor in the ARM server market, I\u2019m told the ThunderX processor on the market does not have exposure to Meltdown and Spectre, but the ThunderX2, which is not out yet, is vulnerable. There was quite a change between the first and second version of ThunderX because the ThunderX2 is heavily derived from IP acquired from Broadcom in 2016.\nBroadcom had an ARM-based server project, called Vulcan, in the works and on paper looked to be quite competitive. Then Broadcom was bought by Avago, which didn\u2019t want to be in any market it couldn\u2019t dominate or was unproven. So, Vulcan was a victim of the whittling down of Broadcom\u2019s product line, and Cavium lucked out. It picked up Broadcom\u2019s work and got a big jumpstart on its efforts, and Broadcom was quite ambitious, targeting markets such as networking, communications, servers, and big data for Vulcan. So, chances are it did branch prediction, which means, yes, it is vulnerable.\nA Cavium spokesman said Cavium processors in production are not susceptible to all three variants of Meltdown. And due to differences in Cavium\u2019s architecture, the company believes there is "a near zero risk to Cavium processors at this time." To mitigate any potential risks for ThunderX2, Cavium has software patches in place. However, there are no silicon changes planned, nor does it plan to delay the release of ThunderX2 to make changes to the processor.\n"The performance impact due to these patches are negligible," the Cavium spokesman said.