Skip to main content
  1. Home
  2. Computing
  3. News

Zombieload forces a choice between performance and security. What will you do?

By

Another week, another devastating, industry-shaking, cybersecurity threat. This week’s is particularly haunting, though — the resurrected corpse of the Spectre and Meltdown vulnerabilities, aptly known as ZombieLoad.

It’s been over 16 months since the original Spectre and Meltdown vulnerabilities were revealed, and little has been done to assure us our PCs are safe. Each of us has to make a choice between performance and security.

That really sucks.

Recommended Videos

The Hyper-threading problem

Understanding Spectre and Meltdown

Unlike in 2018, the major companies’ products affected by this vulnerability have responded quickly. Statements and patches from Microsoft, Amazon, Google, Apple, and Intel were all released on day one of the publishing of the discovery. It’s great to see Intel confidently announce the problem it discovered and present the available solutions to its customers.

Related

There are, however, performance compromises to some of these solutions.

Dips in performance (or far worse) were common in the Spectre microcode patches released by Intel in 2018. That was especially true toward the beginning of the process. As in the early days of the fight against ZombieLoad and other Micro-architectural Data Sampling (MDS) vulnerabilities, we’re seeing signs of that same problem.

Now, Intel has already addressed of the issue at the hardware level in its recent 8th and 9th-gen processors, but the biggest bit of confusion has been with the issue of Hyper-threading. It’s a proprietary Intel technology that brings higher thread counts on high core-count processors and allows much better performance in complex multi-threaded applications. It’s one of the primary features that distinguishes between desktop Core i5 processors and the more expensive Core i7 desktop options. But in this case, Hyper-threading presents a possible gap for systems to leak data out of.

While Intel says Simultaneous Multi-Threading could help protect certain systems, it’s not outright recommending disabling Hyper-threading.

“Once these updates are applied, it may be appropriate for some customers to consider additional steps,” said Intel in a statement. “This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”

There’s a serious issue with this statement. Other companies don’t agree with that evaluation. Because the vulnerability affects every Intel chip since 2008 (except for the newer aforementioned 8th and 9th-gen chips), laptop manufacturers and software developers are making their own calls. Google was the first to release an official statement saying Chrome OS 74, the latest software update for Chromebooks, will have Hyper-threading turned off completely.

Hyper-threading isn’t all that common on Chromebooks, so that might not strike you as a big deal. But what about your pumped-up Core i9 MacBook Pro? Or how about your $4,000 iMac Pro? Apple was the second to recommend  its customers disable Hyper-threading. Its instructions for “full mitigation” of the vulnerability include disabling the feature entirely, resulting in a drop in performance by as much as 40%. That’s based on Apple’s own performance with “tests that include multi-threaded workloads and public benchmarks.”

You do, however, get the option. As Apple states, it might depend on how “high risk” your security is. Intel says the decision to disable hyper-threading will depend “on each individual’s security requirements.” If you’re a government agency or a banking institution, maybe that’s an easy decision. But for the average person, it’s a bit more ambiguous.

How much do you really care about your security? That’s the question begged by this entire scenario. Enough to throw away 40% of your computer’s performance? Enough to install the software patches but not go through the “full mitigation?” In certain situations — let’s say you’re a freelance video editor, for example — that drop in performance could be akin to throwing away profits because videos will take longer to encode and edit.

You must choose

When you zoom out from the experience of just one person, the problem compounds. Will the next version of Hyper-threading be ZombieLoad-proof? What about other future technologies? It’s an existential crisis for the entire industry. Improving performance has been the name of the game in computing. We have a need for speed that makes it hard for companies like Intel, AMD, Nvidia, or Qualcomm to take the gas off the pedal.

It’s not unlike the situation we currently face with privacy. Most of us are all too aware of how our data is taken and used, often without our consent. Yet, we’re rarely willing to trade convenience for privacy. It’s a price most of us just aren’t willing to pay.

In the long run, I have a hard time seeing us behaving differently when it comes to security. And that could become a cataclysmic problem for consumer tech.

Topics
Luke Larsen
Luke Larsen
Former Digital Trends Contributor
Luke Larsen is the Senior Editor of Computing, managing all content covering laptops, monitors, PC hardware, Macs, and more.

Editors’ Recommendations

A zero-day Google Chrome security flaw requires you to update now
Google Chrome opened on a laptop.

Google released an update to its Chrome browser for Windows and Mac users, and the internet giant strongly recommends that users apply the update as soon as possible. The update contains 14 security fixes -- including a zero-day security flaw -- that if left unchecked would leave the system vulnerable to attacks. Google categorized these fixes as critical, high, and medium importance.

Windows and Mac users who also surf the internet with the Chrome browser will want to make sure that they're on version 91.0.4472.101. To make sure that you're on the latest build of Chrome, launch your browser and then click on the three dots stacked vertically at the top right. Navigate to Settings, and then click About Chrome. From there, you'll be able to view the Chrome version number, and you can update the browser if it wasn't automatically updated in the background.

Read more
Nvidia’s RTX 3080 GPUs are crashing. Here’s what we know, and what you can do
nvidia rtx 3080 review 02

If you're one of the lucky gamers or creative professionals who defied the impossible and managed to snag one of the limited inventory of Nvidia's GeForce RTX 3080 flagship graphics card when they dropped, you may have found yourself in for a bit of a roller coaster ride with the new GPU. Gamers have reported instability problems with the card since shortly after the launch that cause the GPU to crash.

Since those reports have emerged, technology sites and industry insiders have offered differing hypotheses on what the issue could be, with both software and hardware being potential culprits. Nvidia has responded and released an updated GeForce driver. Here's what we know, and what you can do right now to prevent crashes from happening if you are the proud owner of an RTX 3080.
The problem

Read more
Intel Arc GPU users lose Deep Link features as support ends without notice
The back of the Intel Arc B580 graphics card.

Intel has quietly discontinued its Deep Link technology, the suite of features designed to enhance collaboration between its CPUs and GPUs. Notably, the confirmation did not come through an official announcement, but via a developer comment on a public GitHub thread, where an Intel representative acknowledged that Deep Link is “no longer actively maintained.”

Launched in 2020 alongside Intel’s push into discrete graphics, Deep Link aimed to improve performance and efficiency in systems combining Intel 11th, 12th, or 13th generation processors with Intel Arc GPUs. It bundled several features like Dynamic Power Share which redirected power between the CPU and GPU based on load, Hyper Encode that enabled multi-engine video encoding, and Stream Assist for offloading media tasks to the GPU during live streaming.

Read more