Why that 40% performance hit for full 'ZombieLoad' mitigations probably won't affect you

On Tuesday, researchers published details of a Meltdown and Spectre-like vulnerability in Intel's processors, that could allow for data to be acquired via a technique called "ZombieLoad," or Intel's sexier name for it, "Microarchitectural Data Sampling." By loading in data to a processor that cannot be properly processed, the processor can potentially leak the data from other apps, effectively allowing a malicious app to acquire sensitive data or to monitor the user's browsing habits.

Apple was quick to patch the problem as part of the macOS Mojave 10.14.5 update on Monday, protecting effectively all Macs released from 2011 onwards. The patch itself has no measurable performance hit on Macs when left alone in its default state, however this did not provide a full mitigation for the vulnerability.

Full-bore losses

A full mitigation could be applied, eliminating any possibility of the issue affecting a Mac, but in the process it disabled hyper-threading and, by Apple's estimates, reduce system performance by as much as 40%. This reduction only applied to anyone who enabled the full mitigation in the Mojave update, as well as those who installed Security Update 2019-003 for High Sierra and Sierra and similarly enabled it.

This potential loss of performance immediately caused uproar from concerned users, though the anger is overblown, and not specific to the Mac.

A loss of performance is only an issue if the person managing the Mac in question goes full bore on the mitigation. Unless the Mac is being used for highly secretive tasks, the user is a potential subject for hacking attempts by a sophisticated bad actor, or some other value-based reason, there isn't really a need to turn on the full mitigation.

And, disabling Hyper-Threading will have the same impact on Windows systems too — which is why Microsoft doesn't advise it.

Safari and sourcing

For the vast majority of Mac (or Windows) users, there is no need to enable the full mitigation. As per Apple's notes on the fixes, the bulk of the alterations were made to Safari, preventing exploitation of the vulnerabilities via Javascript on a malicious website, and with "no measurable performance impact" to most users.

Along with Safari, those worried about the vulnerability, or malware in general, could easily take the time to update their security settings within macOS to download apps only from the Mac App Store. As apps from there are signed by Apple to make sure they aren't tampered with or altered, it makes the apps far safer to download than versions acquired from the internet.

That isn't to say that you shouldn't download software from other sources, but seasoned users who are capable of knowing a good source from a malicious one can easily avoid the potential hazard of installing malware that uses the vulnerability.

Outside of Safari, incoming patches for other browsers, and being careful about what is downloaded and installed from the Internet, that only leaves physical access to the Mac as the last avenue the vulnerability can be used. Quite frankly, at that point it becomes a case of either severe negligence on the user's part or it enters the realm of a highly sophisticated attack by a nation state or organization, making it highly unlikely to ever happen to almost anyone.

A source of AppleInsider within Apple corporate not authorized to speak on behalf of the company advised "The Mojave patch from Monday has robust protections for MDS vulnerabilities. If users feel that they are at a high-risk for related attacks, we've enabled the ability to turn off hyper-threading in total in Mojave, Sierra, or High Sierra."

There is also the fact that the vulnerability has so far been only displayed as a proof-of-concept attack, and that it requires a high level of expertise to pull off. "There are no 'in the wild' exploits at this time for macOS," said the AppleInsider source, "and we aren't expecting any."

Unless you are a journalist investigating a rogue government's corruption, a person of interest to agents of espionage, dealing with state secrets, or something on a similar level, there is not really any benefit to using the full mitigations and sacrificing your Mac's performance. To nearly all of our readers, the update with fixes in Safari should be enough as it is to alleviate worries without going further.