Why that 40% performance hit for full 'ZombieLoad' mitigations probably won't affect you

Posted:
in macOS edited May 2019
Tuesday's revelation of the existence of the "ZombieLoad" vulnerability and the subsequent patching of the issue in macOS has led some users to be angry about the potential 40% reduction in system performance for their Mac. While significant, that impact will really only impact a small percentage of Mac owners, while the vast majority of complainants are upset at something they just don't need to endure.




On Tuesday, researchers published details of a Meltdown and Spectre-like vulnerability in Intel's processors, that could allow for data to be acquired via a technique called "ZombieLoad," or Intel's sexier name for it, "Microarchitectural Data Sampling." By loading in data to a processor that cannot be properly processed, the processor can potentially leak the data from other apps, effectively allowing a malicious app to acquire sensitive data or to monitor the user's browsing habits.

Apple was quick to patch the problem as part of the macOS Mojave 10.14.5 update on Monday, protecting effectively all Macs released from 2011 onwards. The patch itself has no measurable performance hit on Macs when left alone in its default state, however this did not provide a full mitigation for the vulnerability.

Full-bore losses

A full mitigation could be applied, eliminating any possibility of the issue affecting a Mac, but in the process it disabled hyper-threading and, by Apple's estimates, reduce system performance by as much as 40%. This reduction only applied to anyone who enabled the full mitigation in the Mojave update, as well as those who installed Security Update 2019-003 for High Sierra and Sierra and similarly enabled it.

This potential loss of performance immediately caused uproar from concerned users, though the anger is overblown, and not specific to the Mac.




A proof of concept for ZombieLoad showing it is able to monitor a user's browsing on a virtual machine on the Tor browser.


A loss of performance is only an issue if the person managing the Mac in question goes full bore on the mitigation. Unless the Mac is being used for highly secretive tasks, the user is a potential subject for hacking attempts by a sophisticated bad actor, or some other value-based reason, there isn't really a need to turn on the full mitigation.

And, disabling Hyper-Threading will have the same impact on Windows systems too -- which is why Microsoft doesn't advise it.

Safari and sourcing

For the vast majority of Mac (or Windows) users, there is no need to enable the full mitigation. As per Apple's notes on the fixes, the bulk of the alterations were made to Safari, preventing exploitation of the vulnerabilities via Javascript on a malicious website, and with "no measurable performance impact" to most users.

Along with Safari, those worried about the vulnerability, or malware in general, could easily take the time to update their security settings within macOS to download apps only from the Mac App Store. As apps from there are signed by Apple to make sure they aren't tampered with or altered, it makes the apps far safer to download than versions acquired from the internet.

That isn't to say that you shouldn't download software from other sources, but seasoned users who are capable of knowing a good source from a malicious one can easily avoid the potential hazard of installing malware that uses the vulnerability.




Outside of Safari, incoming patches for other browsers, and being careful about what is downloaded and installed from the Internet, that only leaves physical access to the Mac as the last avenue the vulnerability can be used. Quite frankly, at that point it becomes a case of either severe negligence on the user's part or it enters the realm of a highly sophisticated attack by a nation state or organization, making it highly unlikely to ever happen to almost anyone.

A source of AppleInsider within Apple corporate not authorized to speak on behalf of the company advised "The Mojave patch from Monday has robust protections for MDS vulnerabilities. If users feel that they are at a high-risk for related attacks, we've enabled the ability to turn off hyper-threading in total in Mojave, Sierra, or High Sierra."

There is also the fact that the vulnerability has so far been only displayed as a proof-of-concept attack, and that it requires a high level of expertise to pull off. "There are no 'in the wild' exploits at this time for macOS," said the AppleInsider source, "and we aren't expecting any."

Unless you are a journalist investigating a rogue government's corruption, a person of interest to agents of espionage, dealing with state secrets, or something on a similar level, there is not really any benefit to using the full mitigations and sacrificing your Mac's performance. To nearly all of our readers, the update with fixes in Safari should be enough as it is to alleviate worries without going further.
«1

Comments

  • Reply 1 of 25
    lkrupplkrupp Posts: 10,557member
    This article says it all. Most of us don’t have to worry about it... period.
    sweetheart777coolfactorwatto_cobra
  • Reply 2 of 25
    mdriftmeyermdriftmeyer Posts: 7,503member
    If Apple is smart this is when they jump ship and move to AMD Zen2 processor lines. AMD verified with these researchers their processor designs are not affected.

    With Zen2 about to blow any IPC advantage by Intel clean out of the water, it's only sound for Apple to use AMD post Thunderbolt 3 licensing now royalty free.

    TSMC foundries both A Series and Zen Series/Radeon GPGPUs series. Superior performance, leading edge nodes and 30-50% lower the cost on CPUs. A win for Apple and Consumers.
    edited May 2019 HwGeekwatto_cobra
  • Reply 3 of 25
    SoliSoli Posts: 10,035member
    If Apple is smart this is when they jump ship and move to AMD Zen2 processor lines. AMD verified with these researchers their processor designs are not affected.

    With Zen2 about to blow any IPC advantage by Intel clean out of the water, it's only sound for Apple to use AMD post Thunderbolt 3 licensing now royalty free.

    TSMC foundries both A Series and Zen Series/Radeon GPGPUs series. Superior performance, leading edge nodes and 30-50% lower the cost on CPUs. A win for Apple and Consumers.
    I can think of a better win for Apple and consumers without making a lateral move to AMD.
    LordeHawkmichelb76watto_cobra
  • Reply 4 of 25
    knowitallknowitall Posts: 1,648member
    Users are right to be angry, but they should be angry about Intels fuck up.
    Apple acted properly and quick in this case.
    It would be a lot better if Apple removed this uncertain factor (Intel) from the equation and used A processors across the product lines.
    watto_cobra
  • Reply 5 of 25
    jdb8167jdb8167 Posts: 626member
    knowitall said:
    Users are right to be angry, but they should be angry about Intels fuck up.
    Apple acted properly and quick in this case.
    It would be a lot better if Apple removed this uncertain factor (Intel) from the equation and used A processors across the product lines.

    Right. This really doesn't affect consumer PCs much. This is much more of a problem for servers and publicly accessible workstations. Anything with multiple, simultaneous logins from untrusted users can be a problem. For regular Mac and PC users, this is minor and almost certainly not noticeable. For Cloud Services providers like Amazon and Google, this is a big deal since you could theoretically buy time on a server, install malicious software in your own partition and snoop on other users using the same physical server hardware.
    edited May 2019 watto_cobra
  • Reply 6 of 25
    lkrupplkrupp Posts: 10,557member
    So now we start to hear demands to move to A series on the Mac. Screw Intel! Well, A-based Macs will almost certainly kill Boot Camp. How much work and expense will be required by developers to recompile their code to work on Arm architecture? Will Apple be able to come up with a Rosetta style solution so all those Intel based, 64 bit apps will run on an ARM Mac? So many unanswered questions that need answers before dumping Intel.
    cgWerkswatto_cobra
  • Reply 7 of 25
    fastasleepfastasleep Posts: 6,408member
    Since my comment was deleted, I’ll rephrase it without questioning the writing in the article. 

    HOW would one even enable the “full bore mitigation” discussed here?

    EDIT: I see the link to the kb article now. Not sure if that was added or I couldn’t see it the first time around. 
    edited May 2019 watto_cobra
  • Reply 8 of 25
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    Since my comment was deleted, I’ll rephrase it without questioning the writing in the article. 

    HOW would one even enable the “full bore mitigation” discussed here?

    EDIT: I see the link to the kb article now. Not sure if that was added or I couldn’t see it the first time around. 
    While I'm not certain about a deletion, the link in question to the knowledge base was in since publication.
  • Reply 9 of 25
    fastasleepfastasleep Posts: 6,408member
    Since my comment was deleted, I’ll rephrase it without questioning the writing in the article. 

    HOW would one even enable the “full bore mitigation” discussed here?

    EDIT: I see the link to the kb article now. Not sure if that was added or I couldn’t see it the first time around. 
    While I'm not certain about a deletion, the link in question to the knowledge base was in since publication.
    Gotcha. I was reading in bright lighting and probably missed the blue hyperlinked text. Comment may have not stuck the first time. 
    watto_cobra
  • Reply 10 of 25
    seanismorrisseanismorris Posts: 1,624member
    I don’t have a problem with users being upset.  Patching security vulnerabilities resulting in decreased performance get old fast, and they’ve seen a bunch of them recently.

    Users buy machines to suit their needs, at some point these issues add up to computer that don’t get it done.  It might take 1 patch or a dozen, but it’s only a matter of time before it hits their pocketbook.

    What other recourse do users have besides being pissed?  Intel needs to get the message somehow.  

    The problem is Mac users don’t have an option of jumping ship on Intel without (for AMD) without leaving their investment in the Mac ecosystem.  Windows users have the option of giving Intel the finger...  that said everyone is frustrated.

    Yell loud, and yell long!  Maybe Intel will get the message, security of their products are really freaking important.
  • Reply 11 of 25
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    I don’t have a problem with users being upset.  Patching security vulnerabilities resulting in decreased performance get old fast, and they’ve seen a bunch of them recently.

    Users buy machines to suit their needs, at some point these issues add up to computer that don’t get it done.  It might take 1 patch or a dozen, but it’s only a matter of time before it hits their pocketbook.

    What other recourse do users have besides being pissed?  Intel needs to get the message somehow.  

    The problem is Mac users don’t have an option of jumping ship on Intel without (for AMD) without leaving their investment in the Mac ecosystem.  Windows users have the option of giving Intel the finger...  that said everyone is frustrated.

    Yell loud, and yell long!  Maybe Intel will get the message, security of their products are really freaking important.
    Nor do I. Just be upset about the right things, which is what you talked about later in the post. Getting riled up about Apple being transparent about the 40% thing is... counterproductive.
    watto_cobra
  • Reply 12 of 25
    coolfactorcoolfactor Posts: 2,239member
    knowitall said:
    Users are right to be angry, but they should be angry about Intels fuck up.
    ...and the subsequent patching of the issue in macOS has led some users to be angry about the potential 40% reduction in system performance for their Mac.

    Anger is a waste of energy in this case. There's no grounds to express anger. It's the wrong emotion. Shock, disappointment, sure... but why anger? It won't accomplish anything except create stress and reduce one's life expectancy.

    watto_cobra
  • Reply 13 of 25
    softekysofteky Posts: 136member
    lkrupp said:
    So now we start to hear demands to move to A series on the Mac. Screw Intel! Well, A-based Macs will almost certainly kill Boot Camp. How much work and expense will be required by developers to recompile their code to work on Arm architecture? Will Apple be able to come up with a Rosetta style solution so all those Intel based, 64 bit apps will run on an ARM Mac? So many unanswered questions that need answers before dumping Intel.
    The real progress here will be for Microsoft to release Windows 10 on ARM together with Apple switching from Intel to ARM. Short circuit Intel’s strangle hold on progress and both Microsoft and Apple will romp off into the distance. BootCamp etc. No problem!
    chasmwatto_cobra
  • Reply 14 of 25
    chasmchasm Posts: 3,275member
    For those saying Macs can’t jump to A-series chips entirely because we’d lose Boot Camp and native Windows compatibility — Microsoft ported Windows to ARM chips ages ago. It wouldn’t be easy and there wouldn’t be much legacy (pre-8) support, but it could certainly be done because it’s already been done.

    I don’t know enough about AMD Zen2 processor lines (as referred to in the — unpaid? — ad near the top of the comments) to comment on moving laterally for some models of higher-end Macs, but you can rest assured that Apple: a) designed OS X to be fairly portable and b) is likely have versions of OS X running on just about any chip even marginally capable of supporting the full OS. Motorola taught Apple that lesson a very long time ago. If Apple came to an agreement with AMD, it would probably not be much work to make Boot Camp work with those chips.

    It’s kind of sad to see Intel having so many (self-inflicted) problems these days. I hope they can turn things around.
    edited May 2019 watto_cobra
  • Reply 15 of 25
    chasmchasm Posts: 3,275member
    PS. Wonderful article, thoroughly grounded in reality, lays everything out plainly so even the “headline skimmers” and people with poor comprehension skills will “get it.” Well done!
    cgWerkswatto_cobra
  • Reply 16 of 25
    LordeHawkLordeHawk Posts: 168member
    lkrupp said:
    So now we start to hear demands to move to A series on the Mac. Screw Intel! Well, A-based Macs will almost certainly kill Boot Camp. How much work and expense will be required by developers to recompile their code to work on Arm architecture? Will Apple be able to come up with a Rosetta style solution so all those Intel based, 64 bit apps will run on an ARM Mac? So many unanswered questions that need answers before dumping Intel.
    Maybe the new Mac Pro will offer a windows module that allows a PC architecture chip and extra boot loader.

    LOL
    cgWerkswatto_cobra
  • Reply 17 of 25
    The linked article says how to enable full mitigation, but is there a way to turn off all protection so I can test how much this impacts my threaded very CPU heavy programs.
    watto_cobra
  • Reply 18 of 25
    mdriftmeyermdriftmeyer Posts: 7,503member
    chasm said:
    For those saying Macs can’t jump to A-series chips entirely because we’d lose Boot Camp and native Windows compatibility — Microsoft ported Windows to ARM chips ages ago. It wouldn’t be easy and there wouldn’t be much legacy (pre-8) support, but it could certainly be done because it’s already been done.

    I don’t know enough about AMD Zen2 processor lines (as referred to in the — unpaid? — ad near the top of the comments) to comment on moving laterally for some models of higher-end Macs, but you can rest assured that Apple: a) designed OS X to be fairly portable and b) is likely have versions of OS X running on just about any chip even marginally capable of supporting the full OS. Motorola taught Apple that lesson a very long time ago. If Apple came to an agreement with AMD, it would probably not be much work to make Boot Camp work with those chips.

    It’s kind of sad to see Intel having so many (self-inflicted) problems these days. I hope they can turn things around.
    Zen2 is ahead of anything Intel can produce with only one area left to optimize--laptop market. AMD is first releasing, ROME 64 core/128 thread Server CPU that stomps Intel's upcoming offerings, never mind their current ones, and at a fraction of the cost. It's the reason AMD just secured the fastest 1.5 Exaflop Supercomputer contract with CRAY in the world.

    Next up is the Ryzen 3000 series Zen 2 with 4/6/8/16 cores and 8/12/16/32 thread offerings. Clocks are how up to 5Ghz and DDR4 options cover the entire spectrum. Superior designs with Chiplets at 7nm [4 cores per chiplet] interfacing with a central I/O Unit. The head of AMD will soon be discussing these and NAVI, the next generation after Vega in GPGPUs. All due this Q3. ROME will start selling in June.

    DELL has upped their AMD server units from 1 to 4 lines. HP as well. Large contracts have been waiting on ROME to arrive, including Google, Amazon Web Services and more.
    watto_cobra
  • Reply 19 of 25
    22july201322july2013 Posts: 3,564member
    I would expect that most security bugs that occur within a CPU's architecture could be mitigated by either updating the CPU's microcode or by updating the OS that uses it. However what scares me more is when a security bug occurs outside the CPU's perimeter. Check out https://en.wikipedia.org/wiki/Row_hammer in which the security bug occurs exclusively in the DDR3 and DDR4 memory hardware. That really worries me. It would affect any device using DDR3 or DDR4 memory. Most Macs have been made with DDR3, but some of the latest appear to use DDR4. They would all be impacted and I'm not sure if Intel could fix those bugs because they are outside of Intel's responsibility. Indeed for that reason such a bug would impact all processor families, including ARM. Which means all iOS devices (including watchOS and tvOS) could be vulnerable. I wonder if anyone is actively trying to get Rowhammer to work. Or maybe they already have.... 
  • Reply 20 of 25
    HwGeekHwGeek Posts: 15member
    Why apple not buying custom x86 APU's/Threadripper style? AMD can make it for them and it will be Apple exclusive -like AMD does for MS and Sony.
    Apple will save massive amount of $$$ if they drop Intel and all the problems with it ?(i9 TDP?).
    This kind of problem were the reason to drop nVidia -right? With this "40%" performance hit, customers will blame Apple while it's only Intel's fault.

    edited May 2019 watto_cobra
Sign In or Register to comment.