Quick Links

Computer processors have a massive design flaw, and everyone is scrambling to fix it. Only one of the two security holes can be patched, and the patches will make PCs (and Macs) with Intel chips slower.

Update: An earlier version of this article stated that this flaw was specific to Intel chips, but that isn't the whole story. There are in fact two major vulnerabilities here, now dubbed "Meltdown" and "Spectre". Meltdown is largely specific to Intel processors, and affects all CPU models from the past few decades. We've added more information about these two bugs, and the difference between them, to the article below.

What Are Meltdown and Spectre?

Spectre is a "fundamental design flaw" that exists in every CPU on the market---including those from AMD and ARM as well as Intel. There is currently no software fix, and it will likely require a complete hardware redesign for CPUs across the board---though thankfully it is fairly difficult to exploit, according to security researchers. It's possible to protect against specific Spectre attacks, and developers are working on it, but the best solution will be a CPU hardware redesign for all future chips.

Meltdown basically makes Spectre worse by making the core underlying flaw much easier to exploit. It's essentially an additional flaw that affects all Intel processors made in the past few decades. It also affects some high-end ARM Cortex-A processors, but it doesn't affect AMD chips. Meltdown is being patched in operating systems today.

But how do these flaws work?

Related: What is the Linux Kernel and What Does It Do?

Programs running on your computer run with different levels of security permissions. The operating system kernel---the Windows kernel or the Linux kernel, for example---has the highest level of permissions because it runs the show. Desktop programs have fewer permissions and the kernel restricts what they can do. The kernel uses the processor's hardware features to help enforce some of these restrictions, because it's faster to do it with hardware than software.

The problem here is with "speculative execution". For performance reasons, modern CPUs automatically run instructions they think they might need to run and, if they don't, they can simply rewind and return the system to its previous state. However, a flaw in Intel and some ARM processors allows processes to run operations that they wouldn't normally be able to run, as the operation is performed before the processor bothers to check whether it should have permission to run it or not. That's the Meltdown bug.

The core problem with both Meltdown and Spectre lies within the CPU's cache. An application can attempt to read memory and, if it reads something in the cache, the operation will complete faster. If it tries to read something not in the cache, it will complete slower. The application can see whether or not something completes fast or slow and, while everything else during speculative execution is cleaned up and erased, the time it took to perform the operation can't be hidden. It can then use this information to build a map of anything in the computer's memory, one bit at a time. The caching speeds things up, but these attacks take advantage of that optimization and turns it into a security flaw.

Related: What Is Microsoft Azure, Anyway?

So, in a worst case scenario, JavaScript code running in your web browser could effectively read memory it shouldn't have access to, such as private information held in other applications. Cloud providers like Microsoft Azure or Amazon Web Services, who host multiple different company's software in different virtual machines on the same hardware are particularly at risk. One person's software could, in theory, spy on things in another company's virtual machine. It's a breakdown in the separation between applications. The patches for Meltdown means this attack won't be as easy to pull off. Unfortunately, putting these extra checks into place means some operations will be slower on affected hardware.

Developers are working on software patches that make Spectre attacks more difficult to execute. For example, Google's Chrome's new Site Isolation feature helps protect against this, and Mozilla has already made some quick changes to Firefox. Microsoft also made some changes to help protect Edge and Internet Explorer in the Windows Update that's now available.

If you're interested in the deep low level details about both Meltdown and Spectre, read the technical explanation from Google's Project Zero team, who discovered the bugs last year. More information is also available on the MeltdownAttack.com website.

How Much Slower Will My PC Be?

Update: On January 9, Microsoft released some information about the performance of the patch. According to Microsoft, Windows 10 on 2016-era PCs with Skylake, Kabylake or newer Intel processors show "single-digit slowdowns" most users shouldn't notice. Windows 10 on 2015-era PCs with Haswell or an older CPU may see greater slowdowns, and Microsoft "expects that some users will notice a decrease in system performance".

Windows 7 and 8 users aren't as lucky. Microsoft says they "expect most users to notice a decrease in system performance" when using Windows 7 or 8 on a 2015-era PC with Haswell or an older CPU. Not only do Windows 7 and 8 use older CPUs that can't run the patch as efficiently, but "Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel", and this also slows things down.

Microsoft plans to perform its own benchmarks and release more details in the future, but we don't know exactly how much Meltdown's patch will affect day-to-day PC use yet. Dave Hansen, a Linux kernel developer who works at Intel, originally wrote that the changes being made in the Linux kernel will affect everything. According to him, most workloads are seeing a single digit slowdown, with a roughly 5% slowdown being typical. The worst case scenario was a 30% slowdown on a networking test, though, so it varies from task to task. These are numbers for Linux, however, so they don't necessarily apply to Windows. The fix slows down system calls, so tasks with a lot of system calls, such as compiling software and running virtual machines, will likely slow down the most. But every piece of software uses some system calls.

Update: As of January 5th, TechSpot and Guru3D have performed some benchmarks for Windows. Both sites concluded that desktop users don't have much to worry about. Some PC games see a small 2% slowdown with the patch, which is within the margin of error, while others appear to perform identically. 3D rendering, productivity software, file compression tools, and encryption utilities appear unaffected. However, file read and write benchmarks do show noticeable differences. The speed of quickly reading a large amount of small files dropped about 23% in Techspot's benchmarks, and Guru3D found something similar. On the other hand, Tom's Hardware found only a 3.21% average drop in performance with a consumer application storage test, and argued that the "synthetic benchmarks" showing more significant drops in speed don't represent real-world usage.

Computers with an Intel Haswell processor or newer have a PCID (Process-Context Identifiers) feature that will help the patch perform well. Computers with older Intel CPUs may see a greater decrease in speed. The above benchmarks were performed on modern Intel CPUs with PCID, so it's unclear how older Intel CPUs will perform.

Intel says the slowdown "should not be significant" for the average computer user, and so far that looks true, but certain operations do see a slowdown. For the cloud, Google, Amazon, and Microsoft all basically said the same thing: For most workloads, they haven't seen a meaningful performance impact after rolling out the patches. Microsoft did say that "a small set of [Microsoft Azure] customers may experience some networking performance impact." Those statements do leave room for some workloads to see significant slowdowns. Epic Games blamed the Meltdown patch for causing server problems with its game Fortnite and posted a graph showing a huge increase in CPU usage on its cloud servers after the patch was installed.

But one thing is clear: Your computer is definitely not getting any faster with this patch. If you have an Intel CPU, it can only get slower---even if it is by a small amount.

What Do I Need to Do?

Related: How to Check if Your PC or Phone Is Protected Against Meltdown and Spectre

Some updates to fix the Meltdown issue are already available. Microsoft has issued an emergency update to supported versions of Windows via Windows Update on January 3, 2018, but it hasn't made it to all PCs yet. The Windows Update that solves the Meltdown and adds some protections against Spectre is named KB4056892.

Apple already patched the issue with macOS 10.13.2, released on December 6, 2017. Chromebooks with Chrome OS 63, which was released in mid-December, are already protected. Patches are also available for the Linux kernel.

In addition, check to see if your PC has BIOS/UEFI updates available. While the Windows update fixed the Meltdown problem, CPU microcode updates from Intel delivered via a UEFI or BIOS update are needed to fully enable protection against one of the Spectre attacks. You should also update your web browser---as usual---as browsers are adding some protections against Spectre, as well.

Update: On January 22, Intel announced that users should stop deploying the initial UEFI firmware updates due to "higher than expected reboots and other unpredictable system behavior". Intel said you should wait for a final UEFI firmware patch that's been properly tested and won't cause system problems. As of February 20, Intel has released stable microcode updates for Skylake, Kaby Lake, and Coffee Lake---that's the 6th, 7th, and 8th Generation Intel Core platforms. PC manufacturers should begin rolling out new UEFI firmware updates soon.

While a performance hit sounds bad, we strongly recommend installing these patches anyway. Operating system developers wouldn't be making such massive changes unless this was a very bad bug with serious consequences.

The software patch in question will fix the Meltdown flaw, and some software patches can help mitigate the Spectre flaw. But Spectre will likely continue to affect all modern CPUs---at least in some form---until new hardware is released to fix it. It's unclear how manufacturers will handle this, but in the meantime, all you can do is continue using your computer---and take solace in the fact that Spectre is more difficult to exploit, and somewhat more of a concern for cloud computing than end users with desktop PCs.

Image Credit: Intel, VLADGRIN/Shutterstock.com.