Apple posts instructions on how to enable full mitigation against Intel CPU attacks on Mac, up to 40 percent performance penalty

Following the announcement of new speculative execution exploits that target Intel CPU architecture, Apple has posted a new document on its website that explains how customers with computers that are ‘at heightened risk’ of attack can enable full mitigation. Full mitigation is not enabled by default as it is probably an excessive amount of security for the average user, and it comes with big performance penalties.

In its tests, Apple recorded up to a 40 percent drop in performance with full mitigation activated. This is because enabling MDS protection involves disabling hyper-threading entirely, and adds additional barriers when the processor switches contexts.

Try Amazon Prime 30-Day Free Trial

Most users do not need to worry about enabling full mitigation. macOS 10.14.5 includes the most important and most relevant patches, like preventing JavaScript exploits through Safari. Apple rolled these critical fixes for all customers as the performance penalty was small/negligible.

The full mitigation mode may be of interest to customers who are particularly at risk, like members of government or high-ranking business executives.

It’s also important to stress that the danger is currently just a theoretical concern and there are no known attacks out in the wild that affect Macs. Naturally, Apple recommends that users only download trusted software from the App Store.

With those qualifiers in mind, to enable full mitigation, follow these steps:

  1. Restart your Mac and hold Command key and the R key to enter macOS Recovery mode.
  2. Open the Terminal from the Utilities menu.
  3. Enter the command ‘nvram boot-args=”cwae=2’ (without single quotes) and press Return.
  4. Enter the command ‘nvram SMTDisable=%01’ and press Return.
  5. Then restart the Mac.

For more details on this process, check out the support documentation including instructions on how to verify if hyper-threading has been deactivated and steps to disable full mitigation if you no longer need it. These speculative execution exploits specifically affect Intel CPU architecture and pose no risk to Apple’s ARM chips in its iPhones and iPads.

This article was originally posted here