The nature of the Spectre flaw means that fixes to guard against attacks also have the effect of slowing down computers in certain circumstances. Here's how the patches will affect you.
Microsoft has warned that PCs older than two years that haven't been upgraded to Windows 10 will suffer noticeable slowdowns following the patch against the Spectre CPU flaw.
Spectre and Meltdown are design flaws in modern processors that could allow hackers to bypass system protections on a wide range of devices, allowing attackers to read sensitive information, such as passwords, from memory.
The nature of the Spectre flaw means that fixes to guard against attacks also have the effect of slowing down computers in certain circumstances. Microsoft has analyzed which systems are likely to be worst affected by applying the Spectre fix, and found the following:
- Most users running Windows 8 and Windows 7 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance.
- Some users running Windows 10 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance, with "more significant slowdowns" than on newer chips.
- Most users running Windows 10 PCs on 2016-era Intel Skylake, Kabylake or newer CPUs won't notice a change, due to only "millisecond differences" in operations.
Microsoft says the difference in performance impact stems from architectural refinements in newer processors and changes to the design of Windows between 8 and 10.
"We're performing our own sets of benchmarks and will publish them when complete," writes Terry Myerson, Microsoft's executive VP of the Windows and Devices Group.
"But I also want to note that we are simultaneously working on further refining our work to tune performance."
All supported versions of Windows and Windows Server have been patched against Spectre and Meltdown, apart from Windows Server 2012 Security Only, Windows Server 2008 SP2, Windows Server 2012 Monthly Rollup and Windows Embedded 8 Standard.
Three exploits have been demonstrated for the flaws, two for Spectre—CVE2017-5753 and CVE2017-5715—and one for Meltdown—CVE2017-5754. The fixes for the second Spectre exploit—CVE2017-5715—requires both an update to the OS and the microcode of the computer, in order to reduce the risk of branch target injection, and it is these patches that have the unavoidable effect of slowing down systems when performing certain operations.
While Microsoft is patching Windows against the 2017-5715 Spectre exploit, it is up to the manufacturer of the computer to patch the system's microcode. Microsoft begain updating Microsoft Surface devices yesterday and is maintaining a list of system microcode updates available from major computer manufacturers here.
SEE: Incident response policy (Tech Pro Research)
While Intel chips are affected by both Meltdown and Spectre flaws, computers with AMD processors are only affected by Spectre, which is significantly more difficult to exploit than Meltdown. Only a small number of Arm-based processors are affected by Spectre, however the affected chips are widely used in smartphones and tablets, including all Apple iPad and iPhones.
The Windows patches for Spectre and Meltdown have caused various problems, including conflicts with anti-virus software and crashes in PCs running on older AMD processors, with Microsoft yesterday suspending the rollout of patches to affected PCs.
Earlier third-party assessments of the impact of the Windows Spectre fix on PCs running on the 2014 Intel Core i7 5960x processor found minimal impact, although these appear to have been conducted before microcode fixes were applied, so may not reflect the impact on a fully patched machine.
The impact on Windows Server
Balancing the performance impact of the Spectre fixes will be more difficult on Windows Server systems, according to Microsoft.
Myerson warns: "Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance.
"This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment."
Microsoft recommends that Windows Server admins apply both the patches available through Windows Update and system microcode fixes to ensure they can properly isolate virtualized workloads running on the server.
Microsoft says it has already patched its Azure cloud systems to ensure that customer data and applications are isolated from each other.
- Spectre and Meltdown: Insecurity at the heart of modern CPU design (ZDNet)
- Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches (ZDNet)
- zHow the Meltdown and Spectre chip flaws will impact cloud computing (TechRepublic)
- Windows Meltdown patch: Find out if your PC is compatible (TechRepublic)
- Emergency Windows Meltdown patch may be incompatible with your PC (TechRepublic)
- Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre(TechRepublic)
- Critical flaws revealed to affect most Intel chips since 1995 (ZDNet)
- Nope, no Intel chip recall after Spectre and Meltdown, CEO says (CNET)
- Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems(TechRepublic)
- Special report: The future of Everything as a Service (free PDF) (TechRepublic)
- Linux security: Google fuzzer finds ton of holes in kernel's USB subsystem (ZDNet)
- How to upgrade the Linux kernel with a handy GUI (TechRepublic)
- Intel: We've found severe bugs in secretive Management Engine, affecting millions (ZDNet)
- PowerShell: The smart person's guide (TechRepublic)