Meltdown is fully patched, Spectre patches are still coming

Jan 9, 2018 22:35 GMT  ·  By

Renowned Linux kernel developer Greg Kroah-Hartman has published an in-depth article on the status of the Meltdown and Spectre patches in the Linux kernel.

As you already know, two severe hardware bugs were unearthed last week as the worst chip flaws in the history of computing. Dubbed Meltdown and Spectre, these security vulnerabilities affect us all, and put billions of devices at risk of attacks by allowing attackers to steal your sensitive data that's stored in kernel memory via locally installed apps or on the Web through malicious scripts.

Over the past couple of months, the Linux kernel developers worked hard to mitigate these nasty bugs, and they released several updates to the all supported Linux kernel series, which, by now, most GNU/Linux distributions have adopted. Greg Kroah-Hartman urges all users to update to these latest Linux kernel versions immediately, but it looks like the work isn't over yet and more updates are coming.

"If your Linux systems are running a normal Linux distribution, go update your kernel," says Greg Kroah-Hartman. "They should all have the updates in them already. And then keep updating them over the next few weeks, we are still working out lots of corner case bugs given that the testing involved here is complex given the huge variety of systems and workloads this affects."

If your distro does not have kernel updates, change it right now

Greg Kroah-Hartman also noted the fact that if your GNU/Linux distribution doesn't have these new Linux kernel updates, which contain all the fixes to mitigate the Meltdown vulnerability on the x86 architecture, you should consider changing it right now. He also recommended users to run the latest Linux 4.14 release (Linux kernel 4.14.12 at the moment of writing) on their Linux-based operating systems.

The developer said that to get complete protection against the Meltdown vulnerability, your Linux kernels must have the CONFIG_PAGE_TABLE_ISOLATION build option enabled, but work continues on the Spectre front, which those who discover it said it would hunt us for years. There are some patches out there for Spectre, as well as various solutions, but the truth is that there will be lots of updates released for the next few years to mitigate this bug.

Greg Kroah-Hartman ended his update on the Meltdown and Spectre bugs by saying that it's everyone's duty by now to update their GNU/Linux distributions on a regular basis and keep them updated for a long period of time. "Keeping up to date is always a good idea," said Kroah-Hartman, and we always recommended our readers the same thing when new software versions were released.

Meanwhile, work continues on the Linux 4.15 kernel series, which is coming in two weeks with all these patches. Of course, you should still run the latest stable kernel release until Linux 4.15 is ready for mass deployment. On the other hand, Linux kernel 4.16 development kicks off at the end of the month or in early February with a set of patches to mitigate the Meltdown issue for the ARM64 architecture.