Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches

Microsoft and Intel have shared more information on the performance impact of the patches released for the recently disclosed attack methods known as Spectre and Meltdown.

Microsoft and Intel have shared more information on the performance impact of the patches released for the recently disclosed attack methods known as Spectre and Meltdown.

The Spectre and Meltdown exploits work on systems using CPUs from Intel, AMD and ARM, and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches and workarounds have been released by both hardware and software vendors, but they may introduce significant performance penalties.

Intel has insisted that average computer users – owners of typical home and business PCs – should not see any significant impact on performance during common tasks, such as reading emails, viewing photos or writing documents. Benchmark tests conducted by the company using SYSmark 2014 showed an impact of 6 percent or less for 8th Generation Core platforms with solid state storage.

All but two of currently supported Intel processors are said to be affected by the Spectre and Meltdown vulnerabilities. However, a technology called PCID (Process-Context Identifiers), which is present in newer processors, should lessen impact on performance.

Intel says it has yet to “build a complete picture of the impact on data center systems,” but points to statements from major vendors who have conducted tests.

Shortly after applying the Meltdown and Spectre patches to its Azure cloud platform, Microsoft said it had not seen any noticeable performance impact. The company noted that some users may experience networking performance impact, but that can be addressed using the Azure Accelerated Networking feature.

After conducting more tests, Microsoft pointed out that mitigations for Meltdown (CVE-2017-5754) and one of the Spectre flaws (CVE-2017-5753) have minimal performance impact, but the remediation for the second Spectre vulnerability (CVE-2017-5715) does introduce more significant performance penalties.

Advertisement. Scroll to continue reading.

Specifically, Microsoft found that users running Windows 10 on newer chips (2016-era PCs with Skylake, Kabylake or newer CPUs) should not notice any slowdowns. While there are some single-digit performance penalties, they are reflected in milliseconds.

On the other hand, when running Windows 10, Windows 8 or Windows 7 on devices with older chips (2015-era PCs with Haswell or older CPUs), benchmark tests showed more significant penalties and users may actually notice a decrease in performance. On Windows 10, only some users should experience slowdowns, but on older versions of the operating system most users are expected to notice performance issues.

In the case of Windows Server, regardless of what type of chip is used, a more significant performance impact is expected after mitigations are applied, particularly in the case of IO-intensive applications. In the case of Windows Server, Microsoft has actually advised users to evaluate the risk of untrusted code running on their machines and “balance the security versus performance tradeoff” for their specific environment.

“For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel,” Microsoft explained.

Red Hat has also reported seeing measurable performance impact, ranging between 8 and 19 percent, for operations involving highly cached random memory.

Amazon said it had not observed any significant performance impact for the overwhelming majority of EC2 workloads, but some AWS customers have complained about degraded performance after the patches were applied starting with December.

Apple, which started performing tests after releasing updates in December, also said it had not seen any measurable reduction in the performance of macOS and iOS. Google also claimed to have observed negligible impact on performance after applying mitigations to its own systems.

Epic Games informed users recently that the CPU usage of its backend cloud services increased significantly after Meltdown mitigations were applied, which led to login issues and service instability.

Related: Industry Reactions to Meltdown, Spectre Attacks

Related: Microsoft Suspends CPU Flaw Patches for AMD Devices

Related: Lawsuits Filed Against Intel Over CPU Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...