Yesterday it first emerged that Intel chips were exploitable at a kernel level. It was originally believed it only affected Intel, albeit most its chips from the last decade. However, it was later found to also impact AMD and ARM. This basically means almost every machine could be affected from your home PC to the supercomputers used in cloud datacenters. If you cannot wait for the monthly patch roundup, you can grab the update manually through Microsoft Update. The problem with the patch is it is a workaround and not a true fix. There have been reports the patch can impact performance severely, although Intel insists this depends on workload. “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers,” the company said. The Meltdown and Spectre CPU flaw affects hundreds of millions of devices. Each time a command needs to be executed, the CPU hands system control to the kernel. This is fine, but the kernel then stays within the virtual memory address of all processes to ensure smoother and faster performance. Unfortunately, this leaves all processes vulnerable to attack. Microsoft says it has not been subjected to any attempt to exploit this flaw, but the patch must be issued regardless. The patch in question is the implementation of the Page Table Isolation (PTI) workaround. Intel already uses PTI on newer processors. It places the kernel in a dedicated address space, protecting it from being always in process, but also making it always available. While it is possible to compensate for this in newer chips optimized for PTI, in existing processors it is predicted PTI will have a major impact on performance.
Performance Impact
If you are running a home PC for surfing and word processing, this drop will probably not be noticeable. However, companies are concerned, especially those running massive workloads, such as cloud providers. Microsoft is one of those companies, but is remaining positive the patch will not impact performance. Azure is the most at risk considering the huge workload processes the cloud platform manages. However, Microsoft believes Azure will not suffer adverse performance after the patch: “With the public disclosure of the security vulnerability today, we are accelerating the planned maintenance timing and will begin automatically rebooting the remaining impacted VMs starting at 3:30pm PST on January 3, 2018. The self-service maintenance window that was available for some customers has now ended, in order to begin this accelerated update. During this update, we will maintain our SLA commitments of Availability Sets, VM Scale Sets, and Cloud Services. This reduces impact to availability and only reboots a subset of your VMs at any given time. This ensures that any solution that follows Azure’s high availability guidance remains available to your customers and users. Operating system and Data disks on your VM will be retained during this maintenance. You can see the status of your VMs and if the reboot completed within the Azure Service Health Planned Maintenance Section in your Azure Portal. The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied. A small set of customers may experience some networking performance impact. This can be addressed by turning on Azure Accelerated Networking (Windows, Linux), which is a free capability available to all Azure customers. We will continue to monitor performance closely and address customer feedback.”