The biggest tech news of the summer has, arguably, been the revelation that CPUs in a massive number of computer systems are susceptible to three different vulnerabilities. Two of these, CVE 2017-5753 and CVE 2017-5715, have been dubbed Spectre with the third, CVE 2017-5754, given the Meltdown moniker. Tech companies around the world have been scrambling to provide mitigations to these vulnerabilities. Microsoft has provided some detail on what they've done and what performance impact you can expect.
Microsoft released a number of fixes outside their usual Patch Tuesday (or Wednesday for us due to the time difference between Australia and the United States) cycle that address these specific issues. However, they were forced to pull back the original fixes as they caused issues with some systems using AMD processors.
Currently, Microsoft supports 45 different releases of Windows. Patches have been issued for 41 of those with the remainder to be patched "soon" says the company. You can find the full list of Windows editions and supporting update information here.
So, what do Microsoft's fixes do? The company has provided a reasonably detailed description of the impact. But the TL;DR is simple; the fixes impact system performance. Specifically:
- With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
- With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
- With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
- Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
Microsoft says newer Intel processors from the Skylake and later families have made things a little better so the performance hit from the mitigations isn't as severe. But systems running older power plants will see noticeable slowdowns.
The question many will be asking is whether the performance hit is a price with paying for the security mitigation. That's a question businesses will need to address. There are no known in-the-wild exploits for Spectre and Meltdown that we know of but now that the bad guys know these exist there's little doubt they will be looking for ways to take advantage of these weaknesses. That's why i'd be updating all my systems if I was responsible for system security.