In his estimation, there is a fairly high probability that timely mailware will emerge that exploits the meltdown vulnerability. For example, there is already proof-of-concept code - code designed to demonstrate potential vulnerabilities in software and operating systems, and to demonstrate the security risks of a particular attack method - as well as working exploit code on the internet.
Since Spectre is much more complicated and therefore not so easy to exploit, it will probably take a little longer for Spectre to be used in malware.
Fogh is refraining from the fact that there will be a universal attack code. Because the range of CPU models with different system architectures and specifications is very large. So the effort for an effective exploit code that would be used on many CPU models, far too big. Especially since the Expolit codes additionally have to be adapted to the respective operating systems, which are in the attacking focus.
Therefore, it is important to install the available updates and harden vulnerable systems against these types of attacks.
The following attack scenarios would be conceivable
On the one hand, high-performance CPUs are used in many devices, such as in industrial applications and in the field of games and consumer electronics. In addition, the more powerful the CPU, the more likely it is to be exposed to the attacks. On the other hand, the principle of economics also applies to the attackers. Which means:
With Meltdown and Spectre information can indeed be tapped. However, it is not profitable to collect data from many devices that can not be used later and converted into money. Thus, the high cost in many cases for useless data is not justified. However, exactly this can be quite lucrative with many routers and firewalls.
In light of the fact that security vulnerability attacks are mostly restricted to the compromised user's rights -which applies to environments in which multiple users share a computer (eg enterprise or server in general), retrieving information from the system kernel becomes Meltdown and Spectre again lucrative. Because there is a lot of information that attackers could use to get higher rights and thus the full access to the entire computer..
Furthermore, Fogh does not rule out long-term effects. Because of the architecture and the structure of the CPUs on which the underlying problems are based, further problem cases can be expected. However, in very few cases, the consequences are likely to be as serious as with Spectre and Meltdown.
Further security gaps in CPUs Fogh by no means excludes. Given the background of modern CPUs that operate with more than 3 billion transistors, it would be very unusual to see no further shortcomings in such complex environments.
An impressive comparison is that with the NASA Apollo moon's Saturn V rocket: Today's modern CPUs have about a thousand times more parts than this Saturn V rocket.
The "Meltdown Code" illustration and the "Spectre" logo were created by Natascha Eibl and are licensed under CreativeCommons Public Domain Dedication