The flaws have existed in modern processors for 20 years, but news surfaced last week that virtually all computers and smartphones are affected by the bugs.
So far, there is no evidence that hackers have exploited the vulnerabilities.
But it's only a matter of time before attempts are made, according to Matt Tait, a senior fellow at UT Austin's Strauss Center.
"We'll absolutely see in the next few weeks and months people using this vulnerability, especially in the web browser to steal passwords," Tait told CNNMoney.
"If you install your security updates, you will get new clever software features designed to protect your computer," Tait said. "When your browser updates, it will prevent websites from attacking your processor and stealing your password."
Apple (AAPL), Google (GOOG) and Microsoft (MSFT) have released some patches that mitigate bugs.
Apple has released an update to macOS High Sierra for all Macs running macOS 10.13.2. The supplemental security update likely addresses the Spectre flaw that affected Safari and may contain further mitigations for Meltdown.
On Monday, Apple announced that it also has patches to mitigate the Spectre vulnerability in iOS and macOS. Those of you who use iOS want to update to version 11.2.2 (check under Settings > General > Software Update). The update for macOS 10.13.2 is a supplemental Safari update, which you can find in the App Store under Updates.
In Apple’s words, Spectre’s techniques “are extremely difficult to exploit, even by an app running locally on a Mac or iOS device,” but “they can be potentially exploited in JavaScript running in a web browser.” The new updates improve Safari and Webkit to hopefully prevent someone from exploiting Spectre. Apple says that it’s continuing “to develop and test further mitigations within the operating system for the Spectre techniques,” and a tvOS update is coming. Apple Watch was unaffected by Meltdown and Spectre.
How do Meltdown and Spectre work?
Processors are one of the building blocks of digital devices. They allow your device to “think,” by performing a staggering number of tiny calculations per second.
Modern devices work in “parallel,” allowing processors to perform different calculations for different applications at the same time. They can also store small bits of information. And this processor complexity is exactly what can be exploited, potentially even by a browser ad or email link.
As The Verge explained:
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain keystrokes, passwords, and other valuable information.
Meltdown seems to affect only Intel processors, but the company has a near monopoly on processors for personal computers and servers. Spectre, however, is a more general flaw and may affect even more devices, though experts say the flaw is more difficult to exploit.
According to the security researchers who discovered the exploits, the data at risk “might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
The increasing connectivity of consumer products — say, a smart fridge or juicer — makes these exploits especially dangerous.
