Last Wednesday, details emerged about three rather severe exploits that potentially affect almost every Intel chip released since 1995. It was later discovered that a subset of these exploits could be replicated on both AMD and ARM silicon. Now, Microsoft has issued a post to explain the performance impact of its efforts to mitigate these exploits.
Although what we've come to know as Meltdown and Spectre were revealed to the general public less than a week ago, OS makers and manufacturers had been alerted of their existence back in June of last year by Google's Project Zero. Since then, patches have been in the works and were released by Intel and Microsoft, some of the latter's patches being specifically for Edge and Internet Explorer as well as the UEFI of its Surface devices. Apple has also chimed in saying that all macOS and iOS devices were affected, with patches being issued yesterday.
Users running on AMD chips have had more grief to deal with due to the company not providing Microsoft with adequate information when the patch was being created. As such, those systems were unable to boot following the emergency update that was issued. Presently, the process of updating Windows running on AMD silicon has been paused, as Microsoft is looking to resolve this situation "as soon as possible".
Microsoft's Terry Myerson has now provided a handy table to point out what has been done about each vulnerability:
in Windows Updates
Edge, IE updated to
|Calling new CPU instructions to eliminate branch speculation in risky situations||Yes|
Isolate kernel and user mode page tables
As the table above shows, there are two different variants of Spectre - hence why there are three exploits, but only two names for them -, and the availability of patches varies. According to Myerson, the company supports 45 versions of Windows, 41 of which have patches available. You can check out availability at this link.
Unsurprisingly, it's recommended that everyone install the appropriate updates, however, Windows Server customers do have to evaluate their need for these patches (emphasis added):
Windows Server customers, running either on-premises or in the cloud, also need to evaluate whether to apply additional security mitigations within each of their Windows Server VM guest or physical instances. These mitigations are needed when you are running untrusted code within your Windows Server instances (for example, you allow one of your customers to upload a binary or code snippet that you then run within your Windows Server instance) and you want to isolate the application binary or code to ensure it can’t access memory within the Windows Server instance that it should not have access to. You do not need to apply these mitigations to isolate your Windows Server VMs from other VMs on a virtualized server, as they are instead only needed to isolate untrusted code running within a specific Windows Server instance.
The reason why an evaluation is needed has been revealed by the benchmarks Microsoft has run on systems post update. According to the company, mitigations for variants 1 and 3 have no noticeable impact on performance, but that for variant 2 does. The results are as follows:
- With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
- With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
- With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
- Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
The bigger performance hit on older systems and silicon is due to a combination of processor architecture and what Myerson calls "legacy design decisions", like font rendering taking place in the kernel.
Originally, January 9 was supposed to be the date of disclosure of this pair of vulnerabilities, but the reveal happened a week earlier due to updates to the Linux kernel. Today is also the day when Project Zero releases its full report on both flaws - which can be read here - and the target date for Ubuntu "fixing" Meltdown and Spectre.