Following the discovery of three critical flaws in a range of processors, OEMs and OS manufacturers have issued various patches. Microsoft has detailed what performance impact its patches have.
Last Wednesday, details emerged about three rather severe exploits that potentially affect almost every Intel chip released since 1995. It was later discovered that a subset of these exploits could be replicated on both AMD and ARM silicon. Now, Microsoft has issued a post to explain the performance impact of its efforts to mitigate these exploits.
Although what we’ve come to know as Meltdown and Spectre were revealed to the general public less than a week ago, OS makers and manufacturers had been alerted of their existence back in June of last year by Google’s Project Zero. Since then, patches have been in the works and were released by Intel and Microsoft, some of the latter’s patches being specifically for Edge and Internet Explorer as well as the UEFI of its Surface devices. Apple has also chimed in saying that all macOS and iOS devices were affected, with patches being issued yesterday .
Users running on AMD chips have had more grief to deal with due to the company not providing Microsoft with adequate information when the patch was being created. As such, those systems were unable to boot following the emergency update that was issued. Presently, the process of updating Windows running on AMD silicon has been paused, as Microsoft is looking to resolve this situation «as soon as possible».
Microsoft’s Terry Myerson has now provided a handy table to point out what has been done about each vulnerability:
As the table above shows, there are two different variants of Spectre — hence why there are three exploits, but only two names for them -, and the availability of patches varies. According to Myerson, the company supports 45 versions of Windows, 41 of which have patches available. You can check out availability at this link.
Unsurprisingly, it’s recommended that everyone install the appropriate updates, however, Windows Server customers do have to evaluate their need for these patches (emphasis added):
The reason why an evaluation is needed has been revealed by the benchmarks Microsoft has run on systems post update. According to the company, mitigations for variants 1 and 3 have no noticeable impact on performance, but that for variant 2 does. The results are as follows:
The bigger performance hit on older systems and silicon is due to a combination of processor architecture and what Myerson calls «legacy design decisions», like font rendering taking place in the kernel.
Originally, January 9 was supposed to be the date of disclosure of this pair of vulnerabilities, but the reveal happened a week earlier due to updates to the Linux kernel. Today is also the day when Project Zero releases its full report on both flaws — which can be read here — and the target date for Ubuntu «fixing» Meltdown and Spectre.
