As far as I understood, the Windows patches are just workarounds and
what really needs to be done are microcode updates
IMHO we need to wait for new processor generations.
Meltdown and Spectre attack vulnerabilities in mechanisms which enhance the performance of the vulnerable processors. This hits practically anything modern, with a few exceptions (Raspberry Pi models, Apple watch).
Also the vendor information has to be treated with care, e.g. AMD has now acknowledged their vulnerability after first denying it (link). We have to wait and see.
Impacted is the isolation of different users on a machine.
Microcode updates are a part where the vendors can change the CPU, but it is not clear if this will fix the security holes fully or only reduce the risk somewhat and how this impacts performance.
The operating system updates and web browser updates will only reduce the risk.
Microsoft says that the computers will get slower due to the windows
patch. My first question is: If I get a microcode update (so that the
Windows patch is not necessary anymore?), will the computer still be
slower or will the microcode update fix the issues without performance
loss?
AFAIK the microcode patch is needed as a prerequisite to the MS patches.
It shows also in one of half a dozen points to check in a MS power shell check script recently. (PowerShell Verification using the PowerShell Gallery)
MS VP Myerson in his blog claims:
Here is the summary of what we have found so far:
- With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we
don’t expect most users to notice a change because these percentages
are reflected in milliseconds.
- With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we
expect that some users will notice a decrease in system performance.
- With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in
system performance.
- Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you
enable the mitigations to isolate untrusted code within a Windows
Server instance. This is why you want to be careful to evaluate the
risk of untrusted code for each Windows Server instance, and balance
the security versus performance tradeoff for your environment.
So there will be a more or less noticeable hit.
My second question: I plan to buy a new notebook and I wonder if it is
okay to do so at the current time or if I should wait a few months
till Intel releases new CPU models. In other words: will the CPUs of
the future be better than the current patched CPUs in regards to the
performance loss because of Spectre and Meltdown?
I can only speculate. It seems like security has played no big concern for the performance optimization techniques so far. Security hardened performance optimization techniques have to be developed and tested. Might take a year or two.
For a notebook I would not worry too much. You are unlikely to host other users there (unlike VPS or cloud service providers), so you are only exposed to malware and evil JavaScript, as you were before.
Against these help:
- stay current regarding OS and web browser updates
- use a good anti-malware software
- backups
- encryption
