The Impact of Security Patches on Performance
The recent security patch for macOS has been found to have an unintended consequence: it makes things just a little bit slower. However, this is not the full story. According to the security researchers who discovered the issue, the patch only partially addresses the problem and does not fix the underlying vulnerability entirely.
In fact, the researchers recommend disabling hyper-threading as part of the solution. This is a big deal because hyper-threading delivers a significant amount of performance to a CPU, and if disabled, users can lose up to 40% of their processing power. Intel disputes this claim, stating that the exploit is not as severe as initially thought, but Apple disagrees.
In response to the vulnerability, Apple has introduced a feature that allows users to turn off hyper-threading, which is great for making the system more secure. However, this comes at a cost: disabling hyper-threading will significantly impact performance. To take advantage of this exploit, users need a Mac that is fully up-to-date with either Sierra, High Sierra, or Mojave.
To test the security patch, I had to boot my MacBook into recovery mode and run two commands in Terminal. With those commands executed, I checked if hyper-threading was still enabled by running System Report. The results showed that hyper-threading was indeed disabled, which suggests that the security patch is effective in addressing the vulnerability.
However, I also wanted to test how much performance we lose by hardening the system. To do this, I ran Geekbench on my MacBook, both with and without hyper-threading enabled. The results were surprising: disabling hyper-threading actually made very little difference in terms of single-core performance, but it did reduce multi-core performance.
According to Apple, users can expect a significant impact on performance by disabling hyper-threading, with losses of up to 40% compared to running the system without this feature enabled. While I couldn't verify these exact figures, my results were very close. The single-core score remained largely unchanged, while the multi-score dropped significantly.
I also found that even in the best-case scenario, where users are running a highly optimized system with minimal overhead, disabling hyper-threading does not make a huge difference in performance terms. This is good news for users who want to balance security and performance, but it's also a reminder that there are still some compromises to be made when it comes to security.
In conclusion, the recent security patch for macOS has highlighted the importance of keeping our systems up-to-date and secure. By disabling hyper-threading, we can reduce the risk of attacks like this one, even if it means sacrificing some performance. However, as with any compromise, there are trade-offs to consider, and users need to be aware of these when deciding how to balance security and performance.
The Future of Security
As I reflect on the recent security patch for macOS, I am reminded that the threat landscape is constantly evolving, and new vulnerabilities will emerge in the coming months. In fact, it's already happening. MDS and ZombieLoad are just two examples of brand-new hardware vulnerabilities that we need to stay on top of.
My advice to users remains the same: keep your operating system up-to-date, keep your browser up-to-date, and even pay attention to things like keeping your BIOS up-to-date. All of these measures will make a big difference in protecting you from attacks.
In the coming weeks and months, we can expect to see many more videos about this topic. As new vulnerabilities emerge, our team will be working hard to bring you detailed analysis and guidance on how to stay safe online. So, stay tuned, and don't be afraid to reach out if you have any questions or concerns.
The Importance of BIOS Updates
Another crucial aspect of maintaining security is keeping your BIOS up-to-date. The BIOS is the fundamental software that controls the basic functions of your computer hardware, including the CPU and memory. Over time, new vulnerabilities can be introduced into the BIOS firmware, which can allow attackers to gain unauthorized access to your system.
BIOS updates typically occur when new hardware or operating systems are released, as these updates often include fixes for known vulnerabilities. However, not all users realize the importance of keeping their BIOS up-to-date, and this is where security falls behind.
In reality, failing to update the BIOS can leave you vulnerable to attacks that exploit previously patched vulnerabilities in your operating system. This is because the vulnerability may have been fixed in the OS, but the same exploit could still work on an outdated BIOS firmware.
For example, if you're running an older version of macOS and you fail to update your BIOS to the latest version, you may be leaving yourself open to attack. Even if your operating system has received a recent security patch, the vulnerability may still exist in the BIOS, allowing an attacker to bypass the protection offered by the OS.
To avoid this risk, it's essential to keep your BIOS up-to-date, just like your operating system and browser. This is especially true for users who are at high risk of keeping state secrets on their computers.
WEBVTTKind: captionsLanguage: en- Hey guys, this is Austin.If you use a PC, it's time to listen up.Put your nerd pants on andlet's take a little adventureinto Danger Town.There's a new group ofexploits going aroundthat can cause someserious damage to your PC.So they take advantage of what is knownas speculative execution,and it's similar tosome of the bugs we saw last year,including Spectre as well as Meltdown.Something as simple as visiting a websitewith malicious JavaScriptor a little bit of a sketchy downloadcould mean losing controlover all kinds of stuffwhich should be verysensitive and private.So I'm talking aboutpasswords, encryption keys.As far as bugs go, this isabout as bad as it gets.Now I do want to stress thatall this is theoretical right now,so researchers have foundthese vulnerabilitiesand a lot of them have been patchedso it's not out in the wild.But with these things,it's only a matter of timebefore a plane goes overhead,and they start to make it into the wild.So last year brought usSpectre and Meltdown,and at first, it seemedlike a major vulnerability.But of course, they werepatched before too much longer.However, at this point, itis very clear that this isa new class of things thateveryone has to worry about.It's no longer just software.There's actual hardware vulnerabilities,which can cause major problems.So this actually boils downto a few different vulnerabilitiesthat were all announced at the same time.So there's the super scary name of,oh god, do I have to say it?ZombieLoad, yes, ZombieLoad is somethingyou have to be afraid of,or the much nicer name of MDS,because that sounds safe and generic.- I'm not, that's whyI don't want to say it.I don't want to say ZombieLoad.So what separates thisfrom traditional bugsthat are much more software focusedis that it of course is in hardware.So there are some patches andsome BIOS updates and stuff,and I'll get into that in just a minute,that helps to mitigate this.But at the end of the day, wenow live in a different erawhere hardware itself is being attackedon a very regular basis,which means that sure you canalways download a new patch,but if there's somethingthat's super fundamentalto the actual hardware itself, it means,oh I need to buy a new processoror upgrade my computer.Now we're not quite to that point yet,but it is becoming a very scary time.So we're definitely goingto get into Nerd Town here,but the way that this allworks is taking advantage ofa feature known as speculative execution.So essentially what this means is thatmodern processors,specifically on the Intel side,are always constantly trying to figure outwhat you're going to dobefore you actually do it.So instead of saying, waitingfor you to say, open Twitter,it might have portions of that loadedor on a much, much smaller scale,like little tiny bits and pieces.But the issue here is a lotof times when it's wrong,it just throws out that data.Normally no problem, no harm, no foul,and your computer's faster.However, people havefound that you actuallycan take some of that junk data,which on a massive scale can end up beingfull of passwords or all kinds of stuff,and actually harvestit and then send it offto who knows where.It's a really scary thing.And the problem here isthat it's taking advantageof very fundamental thingswhich legitimately mean thatwe get a lot of performanceout of our systems,or well, we lose a lot of performanceif they're patched anddeleted and removed.Nothing like a bug, which notonly can compromise your databut the only way to fix itis to make your computer way slower.That's not good.That's not good at all.Because this bypassestraditional software thingssuch as antivirus as wellas all kinds of differentoperating system level security features,what this means is it's just pulling datastraight off of the CPU.And while a lot of it is garbage,like I said, if you haveenough of this stuffand you kinda parse through it,you can very regularlypull a lot of thingsthat you absolutely donot want to get leaked.This is something that is a big deal.So right now, this affects pretty muchany Intel processormade in the last decade.However, if you are using aphone with an ARM processoror if you have an AMD CPU, itactually doesn't seem to beaffected just yet, butdon't get too comfortable.There are definitely more of these thingsthat are coming in the future.So Apple, Microsoft, and Googlehave all released patches,and a lot of the stuffis doing things likepatching the JavaScript andpatching the browsers themselvesas well as operating system level tweaks,but at the end of theday, you still do needan actual BIOS update,which is coming from Intel,they've updated a lot of microcode,but still relies on youractual hardware vendordelivering a brand new BIOS updateand for you to install it.It's not as simple asturning on Microsoft Updateand being done.You actually have to make sure thateverything is properly updatedfrom browser to OS to BIOS.According to Intel, these patches meanthat you're going to lose alittle bit of performance.So for the most part, itshould be somewhere betweenthree and nine percent whichis certainly not insignificant.However, according to Apple,it shouldn't be anythingthat's all that noticeablein a browser such as Safari,so it's kinda hard to say exactlyhow big of an impact this will have.But there's no doubt that thisis not speeding anything up.It's going to make thingsjust a little bit slower.However, that is not the full story.So according to the security researcherswho actually found this,that's actually not even goingto do the entire fixing job that we need.They actually recommend toturn off hyper-threading,and that is a big deal,as hyper-threading deliversa ton of performance to a CPUand if you lose that,well, you're losing likeup to 40% of your processingpower, so not good.Now, according to Intel, thisis not that big of an exploitwhere you have to turn off hyper-threadingand lose that much performance.But Apple does disagree.So while by default when youdo all the most recent updatesto macOS it still leaves it on,but they have introduceda feature where you cannot only harden the code a little bit morebut importantly you canturn off hyper-threading,which is great to make it asuper, super secure system.And then you say it's for peoplewho are at elevated risk ofkeeping state secrets onyour laptop or something,but it does mean that if you do it,you're going to lose a ton of performance.And it just so happens thatI have a MacBook in my bagthat we can test with right now.Yeah, see.You were wondering why I hadthe backpack on the whole time.It's because I was waiting for it.So to take advantage ofthis, you do need a Macwhich is fully up todate with either Sierra,High Sierra, or Mojave.What you can do is youcan restart the systeminto recovery mode.This is the point where I realize thatmy Mac is not up to date.So it turns out that trying todo a three gigabyte downloadwhile tethering is not the greatest idea,so it's the next day, I have my MacBookcompletely up to date now.So we'll see if the security patchactually makes any kind ofreal difference to performance.To do this, you will need to boot your Macinto recovery mode andthen you'll need to putthese two commands into Terminal,which I will have listedin the description.But with that, we should now havemulti-threading turned off.So if I restart the system.So the way you tell ifthis actually workedis to open up System Report.In the Hardware, you will see thatHyper-Threading now shows Disabled.If you're running anearlier version of macOS,that won't even be an option.So now, let's actually seehow much performance we loseby hardening the system.I just like sayinghardening, it's just fun.So we'll let Geekbench do its thing.Now I do want to stressthis is not by any meansa super scientific test,so obviously you would needto do this multiple times,I would want to use multiple systems.I'm running on batteryfor consistency sake.So take all of this stuffwith a grain of salt.But if hyper-threadingmakes as big of a differenceas I know it should, it won't be like,oh it's like two percent off or something.We should be losing,again according to Apple,up to 40% of ourmulti-threading performanceby doing something like this.So our new score is 5,708 on single corewhich is basically identical.And the multi scoreonly went down to 23,000as opposed to 25,000.So they had quoted a much,much bigger performance impact.I almost feel like I wantto spend more time with thisbecause one slight advantageto this would be that,especially with the MacBooks,given how much they throttle,this actually might makea bigger difference.Okay, I feel like this is gettingway outside the scope of this video,but even doing something likedisabling hyper-threadingin a very much best casescenario, not a big deal.Wow, I'm legitimately really surprised.That's crazy.MDS and ZombieLoad areabsolutely a new pagein what will certainly be yearsof these brand newhardware vulnerabilitiesthat everyone reallyneeds to stay on top of.My advice, as always, keep youroperating system up to date,keep your browser up to date,and even pay attention to things likekeeping your BIOS up to date.All of this stuff willmake a big differenceand just pay attention.There's a lot of this stuffthat will be coming out,and we will be doing asmany videos as possibleas these things kind of approach.But I don't know.It's not a good time for security.There's a lot of reallyscary stuff that's coming up.And I know it's allfearmongering and stuff,but it is legitimatelysomething to keep in mind,keep that stuff up to date, for real.
