Tests Show Tiny PC Performance Hit From Meltdown, Spectre Fix

Intel, Microsoft, and other companies have warned that some PCs may see performance decreases as a result of security patches to fix the Spectre and Meltdown security flaws disclosed earlier this month. We tested four PCs from a variety of manufacturers that were updated in mid-January to protect against the flaws and found that while each of the systems did suffer a slowdown in computing performance, it’s slight enough that most users won’t notice the difference.

Intel, Microsoft, and other companies have warned that some PCs may see performance decreases as a result of security patches to fix the

disclosed earlier this month. We tested four PCs from a variety of manufacturers that were updated in mid-January to protect against the flaws and found that while each of the systems did suffer a slowdown in computing performance, it’s slight enough that most users won’t notice the difference.

The Spectre and Meltdown code names refer to vulnerabilities in the way the CPU anticipates and prepares for future commands in order to perform them faster, a process known as speculative execution. Security researchers found that hackers could theoretically access these commands-in-waiting, which could enable them to steal sensitive information like usernames and passwords.

The speculative execution vulnerability is one of the most significant processor security flaws ever discovered, because it affects so many types of consumer electronic devices. Many products–not just PCs–that contain chips from Intel, ARM, and AMD are susceptible, but it is PCs that have born the brunt of the attention, mainly because fixing the flaws could make them slower.

The degree to which computing performance suffers as a result of the mitigations against Spectre and Meltdown depends on how you use your PC and how old and powerful its processor is to begin with. “For most consumer devices,” Microsoft said in a statement, “the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer.”

In other words, the Spectre and Meltdown fixes are like any other system update: They’ll likely have more of a performance impact depending on how well your PC maker has adapted them to your hardware. That’s a difficult thing to evaluate, but we attempted to do so by comparing the performance of four laptops with the latest software updates with their performance when we first tested them last year, before Spectre and Meltdown became known.

Our comparisons are based on two catch-all benchmarks. We used the PCMark 8 test to measure the computer’s performance on web browsing, video conferencing, and many other tasks that consumers use their PCs to accomplish on a regular basis. We also ran the Cinebench 3D rendering simulation, which simulates a more processor-intensive workflow that professionals like video editors and architectural designers are likely to perform. These are a subset of our full testing regime; for more, read about how we test laptops .

Our comparisons are based on two catch-all benchmarks. We used the PCMark 8 test to measure the computer’s performance on web browsing, video conferencing, and many other tasks that consumers use their PCs to accomplish on a regular basis. We also ran the Cinebench 3D rendering simulation, which simulates a more processor-intensive workflow that professionals like video editors and architectural designers are likely to perform. These are a subset of our full testing regime; for more, read about

Each of the machines we re-tested have the latest operating system updates installed directly from Microsoft or Apple, which means they have software-level protection against Spectre and Meltdown, since both companies released mitigations by last week. Intel says that firmware updates for 90 percent of its chips manufactured in the last five years are now ready, but it’s up to the manufacturer to test them and roll them out to PCs. Each of the Windows systems we tested had these firmware updates installed either from the manufacturer website or from the software update utility, a process that involves flashing the BIOS .

Each of the machines we re-tested have the latest operating system updates installed directly from Microsoft or Apple, which means they have software-level protection against Spectre and Meltdown, since both companies released mitigations by last week. Intel says that firmware updates for 90 percent of its chips manufactured in the last five years are now ready, but it’s up to the manufacturer to test them and roll them out to PCs. Each of the Windows systems we tested had these firmware updates installed either from the manufacturer website or from the software update utility, a process that involves

Here’s the bad news: Each of the Windows laptops we tested saw slight decreases in their PCMark scores, which suggests that the updates have a wide-ranging effect on everyday performance. However, the good news is that the difference is negligible. On the PCMark benchmark, which delivers a proprietary cumulative score, a difference of a few hundred points or so is trivial. What’s more, any PC that scores above 3,000 on this test is an excellent all-around performer, able to handle common computing tasks like starting up apps and loading websites with negligible waiting time.

The Dell Latitude 7389 had the biggest PCMark score drop, from 3,323 to 3,263, or 60 points. The HP EliteBook 1040 G4 dropped by 44 points, to 3,510. The only system to score below 3,000 was the Microsoft Surface Laptop, but it also had a very slight decrease, from 2,745 to 2,690. Macs can’t run PCMark.

dropped by 44 points, to 3,510. The only system to score below 3,000 was the Microsoft Surface Laptop, but it also had a very slight decrease, from 2,745 to 2,690. Macs can’t run PCMark.

The story was mostly the same on the Cinebench test. Each of the systems recorded a drop of between a few points to a few dozen points. The most consistent was the Surface Laptop, which decreased from 324 to 320. The biggest drop belongs to the Apple MacBook Pro , which decreased 68 points, from 374 to 306. Curiously, the EliteBook recorded an increase with Cinebench, which could mean that HP delivered some performance optimizations in a recent update independent of the security patches, or signal an anomaly on our original test.

The story was mostly the same on the Cinebench test. Each of the systems recorded a drop of between a few points to a few dozen points. The most consistent was the Surface Laptop, which decreased from 324 to 320. The biggest drop belongs to the

, which decreased 68 points, from 374 to 306. Curiously, the EliteBook recorded an increase with Cinebench, which could mean that HP delivered some performance optimizations in a recent update independent of the security patches, or signal an anomaly on our original test.

These numbers should reassure the majority of PC users, since they largely confirm several manufacturers’ claims that performance hits are negligible. On the other hand, people who use screaming-fast, Intel Xeon-powered workstations and companies that manage server farms will likely want to run their own tests to evaluate the effects of the Spectre and Meltdown mitigations.

Each system we tested uses an Intel Core i5 or Core i7 processor. On February 20, about a month after we performed the retests, Intel released a new round of firmware updates, including many for seventh- and eigth- generation Core processors, so it’s possible that our results differ from what you might experience if you have a system with the latest patches. For more on how to protect your PC, visit our guide .

Each system we tested uses an Intel Core i5 or Core i7 processor. On February 20, about a month after we performed the retests, Intel released a new round of firmware updates, including many for seventh- and eigth- generation Core processors, so it’s possible that our results differ from what you might experience if you have a system with the latest patches. For more on how to protect your PC, visit our

See Also : Spectre and Meltdown Attacks Against Microprocessors …

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which of course is not a solution — is to throw them all away and buy new ones.

On Wednesday, researchers just announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15-20 years. They’ve been named Spectre and Meltdown , and they have to do with manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer. (The research papers are here and here .)

of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15-20 years. They’ve been named

different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets elsewhere on the computer. (The research papers are

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other user on the same hardware.

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a

from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Someone can run a process in the cloud and steal data from every other user on the same hardware.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story

and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.

“Throw it away and buy a new one” is ridiculous security advice, but it’s what US-CERT recommends . It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. ( Here’s a running list of who’s patched what.)

. It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. (

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices. We’re already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can’t be fixed.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices. We’re

with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the

The second is that some of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors. But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.

The second is that some of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a

in its Management Engine (ME): another flaw in its microprocessors. But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.

We’re already seeing this. Some patches require users to disable the computer’s password, which means organizations can’t automate the patch. Some antivirus software blocks the patch, or — worse — crashes the computer. This results in a three-step process: patch your antivirus software , patch your operating system, and then patch the computer’s firmware.

We’re already seeing this. Some patches require users to disable the computer’s password, which means organizations can’t automate the patch. Some antivirus software

The final reason is the nature of these vulnerabilities themselves. These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.

This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the

are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites that might

You probably won’t notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don’t do all of the vulnerable fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

You probably won’t notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don’t do all of the vulnerable fancy performance tricks are unaffected. Browsers will

how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

It’s a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they’ll figure out some clever way of detecting and blocking the attacks. All in all, as bad as Spectre and Meltdown are, I think we got lucky.

But more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.

Note: A shorter version of this essay previously appeared on CNN.com. My previous blog post on this topic contains additional links.