To fix the Spectre, Meltdown threat, it isn't always pretty

The Spectre/Meltdown threat to computers worldwide has fixes now. But the fixes can sometimes sap performance.

Both Meltdown and Spectre are hardware vulnerabilities that hackers could use to steal information from computer memory. In one of the worst-case scenarios, it could be as egregious as stealing sensitive personal data like passwords or banking information.

The reasons for the vulnerabilities are complex but in a nutshell they exist because chip designers, in an effort to make processors faster, sacrificed security. Apple has provided a relatively simple but longer explanation.


Is the cure worse than the disease?

Jérôme Boursier, a researcher at Malwarebytes, told Fox News the software patches are available to fix Meltdown without requiring hardware changes, but Spectre is a different story.

"Regarding Spectre, the software patches currently available are a set of workarounds to mitigate a class of bad hardware CPU [processor] design, so they aren’t a fix," Boursier said. "They just change the system behavior to avoid using the bad-designed part of the CPU."

Patches, in order to mitigate the vulnerability, can slow things down. That’s because the fix in effect, plugs the vulnerable processes that would otherwise boost performance.

Though many processor-intensive operations are not noticeably affected based on testing so far, that's not always the case. PC World saw a few cases of disk slowdowns on a Microsoft Surface Book after patches were installed. For one operation, storage drive performance dropped off as much as 26 percent and 42 percent for another.

Tests done by Techspot on Jan. 7 saw a five to eight percent reduction in some disk operations while other so-called 4K disk writes saw a 20 percent hit after patches were installed. And a 512K write test logged a 41 percent performance hit.

Meanwhile, Microsoft has stated in a blog post that a “variant” of the fix – which patches both the operating system and the processor’s microcode – results in performance degradation.

Older systems appear to take the biggest hit. If a computer is using older Intel processors running Windows 8, for example, Microsoft said it “expect[s] most users to notice a decrease in system performance” after installing the patch.

Those processors – including an Intel chip architecture known as “Haswell” – aren’t exactly ancient, however, and are still used by consumers worldwide in systems purchased as recently as three and a half years ago.

"[It] is an expensive proposition to validate basically every laptop and desktop going back to [older Intel chips]," PC World's Gordon Mah Ung told Fox News.


Servers, games and the cloud

Input-output applications – which can hit storage disk performance – on Windows server show “significant” slowdowns after mitigations are enabled, Microsoft said in the aforementioned blog post.

The tech giant adds that it’s important to “evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.” This means that users will have to sacrifice performance if they want to make their servers more secure.

“Microsoft has been working closely with chip manufacturers to develop and test mitigations to protect our customers," a Microsoft spokesperson told Fox News in a statement.

The spokesperson added, "We have deployed mitigations to our cloud services and released security updates on Jan. 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD [processors]. We have not received any information to indicate that these vulnerabilities have been used to attack our customers."

Video gaming that uses computers in the cloud can also take a hit. Epic Games posted a notice on Jan. 5 illustrating how its cloud services got whacked by patches for its Fortnite game.

“All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability…[and there was] a significant impact on CPU usage of one of our back-end services after a host was patched to address the Meltdown vulnerability," the company wrote.

And Google has struggled to make sure cloud performance (which affects pretty much anyone that uses Google services like search) isn't impacted by fixes -- though it claims to have solved that now so performance doesn't degrade. 

An update for Google's soon-to-be-released web browser, Chrome 64, due to be released on Jan. 23, will contain mitigations to protect against exploitation.


Other issues

Other issues that arise include frequent reboots after patches are installed. Both Intel Haswell and Broadwell processor-based systems have add issues with "higher reboots" for both clients (individual PCs) and data centers, Intel said in a blog post.

"We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Intel added.


On Jan. 3, Microsoft issued the January 2018 Windows operating system security update, which said antivirus updates should be installed first; then users can make sure they've turned on Windows automatic updates.

Hardware (also known as firmware) updates from PC manufacturers are also critical. That may require a user to check with their device manufacturer for updates. HP and Dell have provided resources here and here.

Malwarebytes has a summary of fixes as well.

Despite all the steps taken, fixing the problem won't be resolvef anytime soon. "This will go on for months if not years," PC World's Ung said.