In January of 2018 the cybersecurity world was rocked by news of the massive Meltdown and Spectre vulnerabilities in the Intel processor, but for most users the more tangible worry was that the software fix would slow down their computers by up to thirty percent.
Luckily, like many apocalyptic predictions, this preliminary figure turns out to have been somewhat exaggerated. If you own an affected computer (you probably do), chances are good that it has had a few points taken off its performance, but not enough to be noticeable.
What were Meltdown and Spectre again?
Though security researchers found them in 2017, the Meltdown and Spectre exploits only became public knowledge in early January of 2018. While more thorough technical explanations are available, here’s a one-sentence summary: Meltdown “melts” the processor’s barriers between application processes and system memory (which can contain some very important stuff), while Spectre can trick the processor into accessing places in the memory that were not intended to be accessed. If you use anything with a computer processing chip (mostly Intel, but some AMDs and ARMs as well), this exploit could work on your system.
Patches were rolled out almost immediately to fix (or, more accurately, “mitigate,” since there is no single fix) this issue, but new versions, especially those involving Spectre, keep on popping up. Since this affects so many different systems and is such a complex problem to pin down, work will likely continue for a while.
The damage: how much speed have we lost?
These patches have taken a toll on performance, but it varies wildly depending on your hardware and software setup. The average impact of the patches over time has, so far, not elicited many complaints, which is encouraging. It’s impossible to come up with an exact average across all systems, and official numbers aren’t really available, but hardware review sites really like running benchmarks, so we at least have that data.
Comparing reports from Microsoft, Phoronix, Tom’s Hardware, Tech Report, and Anandtech, the average impact since the patches began seems to have been quite small. The biggest slowdowns reported were from tests that were putting very heavy loads on older processors, and then only for specific tasks. Overall, testing average use cases rarely showed impacts above five percent.
More patches are being released all the time, though, so this isn’t a guarantee for the future. You can take comfort, though, in the fact that the initial patches, which are theoretically the most major, haven’t done much damage.
To get an idea of where your own computer stands, you can use the Gibson Research Inspectre tool to quickly check up on the general state of your computer. If it tells you that you’re patched against both Spectre and Meltdown and your computer is “Good,” that means your system is probably not a lot slower as a result of the patches. If it tells you you’re not protected, you should do something about that as soon as possible.
For the more technically curious, fire up your favorite benchmarking program, disable your Internet connection (no sense taking chances), and run benchmarks with the patches disabled and enabled. If you have interesting results, leave a comment!
Factors that affect performance loss
The patches affect different systems in different ways, depending on how those systems interact with the processors. Again, this is a moving target – new patches and updates are coming out all the time – but in general, these factors will affect your experience.
- Use case: Some aspects of computer performance are hit harder than others. Applications that rely heavily on the processor, like virtualization or cryptocurrency mining, will obviously notice the biggest declines.
- Processor model: Not all processors are affected the same way. A good general rule: the newer your processor, the less affected you’ll probably be, especially with Intel. Your mileage may vary with AMDs and ARMs.
- Operating system: Not all operating systems are affected the same way. Windows 7 and 8 may be the worst hit (if Microsoft’s initial estimates hold true), while Windows 10 doesn’t see noticeable impacts. Mac has been tested less but also seems relatively unscathed, while Linux results vary quite a bit across distribution and kernel.
- Which patch was used and when: Different companies put out different fixes at different times, and some of them caused greater performance declines than others. On May 22nd, in fact, Intel announced that their newest patch might cause two to eight percent declines in some systems.
Conclusion: an ongoing threat
The Meltdown and Spectre vulnerabilities have yet to be implicated in a major attack, but it has been found in plenty of existing malware. It might even be more common now than it was before it became public knowledge, as there are Spectre variants out there that haven’t even been discovered yet.
[UPDATE: 2018-02-01] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 139 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754
— AV-TEST GmbH (@avtestorg) February 1, 2018
Spectre-proof processors are in the works, but there’s no official release date on a hardware solution yet. For now, the name of the game is “whack-a-mole,” as new variants keep appearing and keep getting patched. The performance impact thus far has been very manageable, but that’s not to say that there might not be more serious issues in the future. In the meantime, install the software updates, practice good computer security, and maybe hold off on upgrading your hardware until those new chips come out, maybe in a year or two.