Skip to main content

Zombieload forces a choice between performance and security. What will you do?

Another week, another devastating, industry-shaking, cybersecurity threat. This week’s is particularly haunting, though — the resurrected corpse of the Spectre and Meltdown vulnerabilities, aptly known as ZombieLoad.

It’s been over 16 months since the original Spectre and Meltdown vulnerabilities were revealed, and little has been done to assure us our PCs are safe. Each of us has to make a choice between performance and security.

That really sucks.

Recommended Videos

The Hyper-threading problem

Understanding Spectre and Meltdown

Unlike in 2018, the major companies’ products affected by this vulnerability have responded quickly. Statements and patches from Microsoft, Amazon, Google, Apple, and Intel were all released on day one of the publishing of the discovery. It’s great to see Intel confidently announce the problem it discovered and present the available solutions to its customers.

There are, however, performance compromises to some of these solutions.

Dips in performance (or far worse) were common in the Spectre microcode patches released by Intel in 2018. That was especially true toward the beginning of the process. As in the early days of the fight against ZombieLoad and other Micro-architectural Data Sampling (MDS) vulnerabilities, we’re seeing signs of that same problem.

Now, Intel has already addressed of the issue at the hardware level in its recent 8th and 9th-gen processors, but the biggest bit of confusion has been with the issue of Hyper-threading. It’s a proprietary Intel technology that brings higher thread counts on high core-count processors and allows much better performance in complex multi-threaded applications. It’s one of the primary features that distinguishes between desktop Core i5 processors and the more expensive Core i7 desktop options. But in this case, Hyper-threading presents a possible gap for systems to leak data out of.

While Intel says Simultaneous Multi-Threading could help protect certain systems, it’s not outright recommending disabling Hyper-threading.

“Once these updates are applied, it may be appropriate for some customers to consider additional steps,” said Intel in a statement. “This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”

There’s a serious issue with this statement. Other companies don’t agree with that evaluation. Because the vulnerability affects every Intel chip since 2008 (except for the newer aforementioned 8th and 9th-gen chips), laptop manufacturers and software developers are making their own calls. Google was the first to release an official statement saying Chrome OS 74, the latest software update for Chromebooks, will have Hyper-threading turned off completely.

Hyper-threading isn’t all that common on Chromebooks, so that might not strike you as a big deal. But what about your pumped-up Core i9 MacBook Pro? Or how about your $4,000 iMac Pro? Apple was the second to recommend  its customers disable Hyper-threading. Its instructions for “full mitigation” of the vulnerability include disabling the feature entirely, resulting in a drop in performance by as much as 40%. That’s based on Apple’s own performance with “tests that include multi-threaded workloads and public benchmarks.”

You do, however, get the option. As Apple states, it might depend on how “high risk” your security is. Intel says the decision to disable hyper-threading will depend “on each individual’s security requirements.” If you’re a government agency or a banking institution, maybe that’s an easy decision. But for the average person, it’s a bit more ambiguous.

How much do you really care about your security? That’s the question begged by this entire scenario. Enough to throw away 40% of your computer’s performance? Enough to install the software patches but not go through the “full mitigation?” In certain situations — let’s say you’re a freelance video editor, for example — that drop in performance could be akin to throwing away profits because videos will take longer to encode and edit.

You must choose

When you zoom out from the experience of just one person, the problem compounds. Will the next version of Hyper-threading be ZombieLoad-proof? What about other future technologies? It’s an existential crisis for the entire industry. Improving performance has been the name of the game in computing. We have a need for speed that makes it hard for companies like Intel, AMD, Nvidia, or Qualcomm to take the gas off the pedal.

It’s not unlike the situation we currently face with privacy. Most of us are all too aware of how our data is taken and used, often without our consent. Yet, we’re rarely willing to trade convenience for privacy. It’s a price most of us just aren’t willing to pay.

In the long run, I have a hard time seeing us behaving differently when it comes to security. And that could become a cataclysmic problem for consumer tech.

Topics
Luke Larsen
Luke Larsen is the Senior Editor of Computing, managing all content covering laptops, monitors, PC hardware, Macs, and more.
Nvidia’s RTX 3080 GPUs are crashing. Here’s what we know, and what you can do
nvidia rtx 3080 review 02

If you're one of the lucky gamers or creative professionals who defied the impossible and managed to snag one of the limited inventory of Nvidia's GeForce RTX 3080 flagship graphics card when they dropped, you may have found yourself in for a bit of a roller coaster ride with the new GPU. Gamers have reported instability problems with the card since shortly after the launch that cause the GPU to crash.

Since those reports have emerged, technology sites and industry insiders have offered differing hypotheses on what the issue could be, with both software and hardware being potential culprits. Nvidia has responded and released an updated GeForce driver. Here's what we know, and what you can do right now to prevent crashes from happening if you are the proud owner of an RTX 3080.
The problem

Read more
This is the GPU I’m most excited for in 2025 — and it’s not by Nvidia
The AMD Radeon RX 7900 XTX graphics card.

The next few months will completely redefine every ranking of the best graphics cards. With Nvidia's RTX 50-series and AMD's RDNA 4 most likely launching in January -- and even Intel possibly expanding its Battlemage lineup -- there's a lot to look forward to.

But as for me, I already know which GPU I'm most excited about. And no, it's not Nvidia's rumored almighty RTX 5090. The GPU I'm looking forward to is AMD's upcoming flagship, which will presumably be the RX 8800 XT (or perhaps the RX 9070 XT). Below, I'll tell you why I think this GPU is going to be so important not just for AMD but also for the entire graphics card market.
Setting the pace

Read more
Google Street View camera captures highly suspicious act, leading to arrests
The Google Street View image showing someone loading a large bundle into the trunk of a car.

Imagery from Google’s Street View has reportedly helped to solve a murder case in northern Spain.

Street View is the online tool that lets you view 360-degree imagery captured by cameras mounted on Google’s Street View cars that travel the world.

Read more