Intel's massive MDS vulnerability has forced Google to slow Chrome OS, but a fix is coming

Google has pushed out a Chrome OS update (version 74) with a quick fix for the new MDS vulnerabilities that can let a bad actor read privileged portions of memory. That's the good news; the bad is that to make sure any exploits can't affect Chrome users, Hyper-Threading is now disabled by default.

A new round of Intel side-channel vulnerabilities means a new security patch.

Google says that most users won't notice any performance impact, but if you're running heavy workloads that tax the CPU, you can enable it by changing a setting if you need the extra CPU power. To do so, you'll need to change a flag through the browser interface. Flags are "hidden" settings that don't appear with the rest because most users will never need to change them. Luckily, it's easy to do.

Open the web browser and enter chrome://flags#scheduler-configuration in the omnibar and hit enter. You'll see the setting highlighted in yellow at the top, and if you choose "performance" Hyper-Threading will be enabled after a reboot. To go back, choose either "default" or "conservative" and Hyper-Threading will once again be disabled.

What is Hyper-threading?

Hyper-Threading is a neat trick Intel uses on some multi-core processors that essentially doubles the number of CPU cores. This allows the CPU to use the time between switching workloads to process data on these virtual cores, which can boost CPU performance a good bit if you're doing something that has it backed up. A dual-core Intel CPU can have four cores running with this technology, and a quad-core Intel CPU can have eight cores, and so on.

Chrome 71 showing eight cores before the update.

Chrome 71 showing eight cores before the update.

That 8-core Intel CPU you bought really only has 4 cores inside.

The operating system and software you use don't care if cores are physical or virtual. Firmware in the CPU itself and the motherboard work to use these virtual cores the same as the physical cores, so for all intents and purposes, the CPU has double the number of cores and can run double the number of threads. Threads are the workload from an application, and software can be programmed to use a single thread to process all of its data or multiple threads. All the software knows is that the processing it needs to do its thing is getting done.

Chrome 74 showing four live cores and four dead cores after the update.

Chrome 74 showing four live cores and four dead cores after the update.

Hyper-Threading will give a computer more processing power, and you will notice it if you're doing something that has the system waiting on data from the CPU. It also makes the processor run hotter and use a lot more battery power. When you're doing something like browsing the web or reading your timeline on Facebook, you won't care if Hyper-Threading is disabled. If you're running Android Studio or playing a 3D game, you might notice the change.

Why did Google do this and what is an MDS?

MDS stands for Microarchitectural Data Sampling and is a set of vulnerabilities that could allow something you've done to be seen by someone else using an exploit that checks for data in the CPU cache. It's a complicated process that Google says hasn't yet been successfully done on a Chromebook, but it's also a pretty serious flaw. You can read all the dirty details from Intel's announcement if you're into that.

These vulnerabilities aren't easy to exploit, but even a tiny chance that someone can get your info is bad news.

Because this flaw exists in the actual CPU hardware and not in the software, the best way to secure your Chromebook is to disable Hyper-Threading. This changes how the processor schedules its jobs and the fill and store buffer in the CPU cache won't be able to be read by outside software.

The worry is that scripts on a web page or in an Android app can try to exploit these vulnerabilities and if they can get to sensitive data like your keystore (where Chrome stores user names and passwords, credit card data, and other personal information) that's pretty serious. Google did what was necessary to fix things right now, and will continue working on the problem to find a "better" way to fix it.

All you need to know is that anything you hear about MDS flaws or exploits won't affect your Chromebook or Chromebox. Google will likely find a better fix through software in future versions and enable Hyper-Threading by default once again. These MDS vulnerabilities closely resemble the Spectre and Meltdown vulnerabilities we saw last year and Google was able to essentially fix them in Chrome through a software workaround. Smart people doing smart things makes our stuff run great!

More: Meltdown Hack and Spectre Bug: How it affects Android & Chrome Users

Should you enable Hyper-Threading?

Probably not.

If you have to ask ...

This is a classic case of "if you have to ask, the answer is no." If you're unsure of what Hyper-Threading is or why Google disabled it to mitigate a side-channel data vulnerability, then you should leave things alone and trust the pros. You might notice some slow down in your normal work, but unless you're really pushing things with Linux applications or running heavy web apps, you'll be fine.

If you do use your Chromebook for things like coding through Android Studio or another Linux IDE, then you might need to enable it. To test the multi-core threading in your program or to compile something big needs the virtual cores to be in place. Use the instructions above to change the flag when you need to enable hyper-threading, then disable it when you don't.

I've left the setting alone and am running version 74 as-is. I'm not noticing any difference while working with multiple tabs open, including a YouTube playlist of my favorite songs. The Cog Chrome app shows that the cores are disabled and the four physical cores in my HP Chromebook x360 14 are running under more load and slightly hotter after the update, but the difference in usability isn't apparent.

If you use a Chromebook for intense work like programming and see a difference, please hit the comments and share your experience.

Make the most of your Chromebook

On Stable, Developer or Beta in between, your Chromebook could always benefit from a few friends to help it out!

Logitech M535 Compact Bluetooth Mouse ($22 at Amazon)

This Bluetooth mouse doesn't compromise on comfort or battery life in its quest for a compact, portable package. While you can more than make do with the trackpad or touchscreen, a mouse is still a highly helpful Chromebook tool.

Samsung EVO Select 256GB MicroSD card ($40 at Amazon)

Chromebooks can seem light on internal storage, but with this spacious microSD card, you can add storage for tons of photos, movies, music, or any documents you might need to use offline.

CAISON Laptop Sleeve (From $15 at Amazon)

Whether you're rocking a tiny C101 or a big, bad Lenovo C630, CAISON has got a water-resistant, great-looking laptop sleeve for your Chromebook.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.