Since the release of Meltdown and Spectre, several varieties of Debian kernels have been updated, but only amd64 processors are verifiably mitigating meltdown, and spectre remains altogether unfixed. The intent of this thread was originally to start a conversation about deterring these two particular exploits.
It is my personal belief that, in a digitally-networked world where technology vendors sell innovation as the consumer product at the cost of neglecting security, understanding the technology to which you give personal, sensitive information will not truly sustain itself as a corporate product (antivirus software, hardware/software vendors' proprietary mechanisms supported only by their own word); but, rather, will become a deep, and probably intrusive, personal responsibility.
Thank you to everyone who contributed solutions and findings. Here are some highlights of the thread thus far.
Meltdown (CVE-2017-5754)
Mainstream linux 4.14.11 (and above) features KPTI/PTI (its name has changed since last week) to mitigate against Meltdown; on older kernels, this had to be patched/backported, and few kernels (if any) are still in the works.
A profound ambiguity still surrounds the status of mitigating 32-bit processors: namely, is it even possible? News has been spreading about Linux's patches, and most websites will say a simple update/upgrade will install the patched kernel. Unfortunately, KPTI/PTI depends on a 64-bit Linux build*, and therefore, 32-bit processors (i686/pae) lack any clear mitigations against Meltdown. (This can also be verified by looking at the kernel source: make menuconifg [and search for page_table_isolation]. I'm still researching this, along with a few users here and on the MX forum, so please post your findings if something is discovered or can be better explained.) Therefore, the currently-accepted solutions of "just upgrade your system/kernel" are, as far as we know, currently moot for x86/32-bit.
Update: I reached out to the patch developer, and he confirmed that 32-bit is vulnerable.
The only way to verify if PTI is active on your system is to, as root, find it through dmesg: grepping strings like page, table, isolation, or pti (the string depends on the kernel and distro).
The effects of KPTI, although quantifiable**, are mostly unnoticeable on most desktop systems. They are more prevalent when it comes to heavy file transfer, like on servers.
Spectre (CVE-2017-{5715,5753})
As of right now, Spectre lingers unmitigated: "Spectre is harder to exploit than Meltdown, but it is also harder to mitigate." Several browsers (ie, Firefox 57, -esr, palemoon, and opera) have implemented (or never required) their own deterrents. As with any security precautions, disabling or filtering javascript is recommended, along with avoiding suspicious sites and untrusted downloads (like "cool_screensaver.bin").
Looking Forward
Spectre and Meltdown Attacks Against Microprocessors
Further ReadingBruce Schneier wrote: These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates...
It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.
But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.
Summary of the patch status for Meltdown / Spectre
spectre-meltdown-checker (Github), bash script
Spectre and Meltdown Proof-of-Concept
* Author's note: I speculate the reason it cannot run on 32-bit is because the patch "is 64bit only, as 32bit needs the TSS mapped RW." However, I lack the knowledge to verify this. If this is correct, though, it would be appreciated if kernel maintainers would just say, "your 32-bit system is still vulnerable," because a simple Google search reveals how many outlets are claiming it is patched, versus how many are (not) acknowledging that it is impossible -- in particular, 32-bit systems are completely ignored from the conversations. I would rather be wrong about this statement than falsely believe that I am running a mitigated kernel. Thank you, ritanik, for the link to the patches page.
** Internal references: dd testing reports from stevepusser and links shared by Wheelerof4te
________________________________________________
ORIGINAL POST
If any of this information is in error or outdated, please let me know.
The security tracker claims that there is a patched stretch kernel (4.9.65-3+deb9u2) to avoid meltdown, but as of this post, the packages page (along with apt-cache policy) suggests that the current version is at 4.9.65-3+deb9u1, with jessie-backport version at 4.9.65-3+deb9u1~bpo8+1 (the same thing). At the time of this posting, it appears that there is no patch for Spectre.
In the meantime, what is the best course of action for users, just short of burning all of our technology and burying our money in the ground?
Unrelated: is there any information on how effective grsecurity might be for preventing this exploit?
Meltdown:
-fixed version: 4.9.65-3+deb9u2 (stretch)
https://security-tracker.debian.org/tra ... -2017-5754
Spectre:
-fixed version: none
https://security-tracker.debian.org/tra ... -2017-5753