Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
A security flaw in Intel processors has led to a redesign of Linux and Windows kernels. Programmers have been busy for the past two months patching the Linux kernel’s virtual memory system to protect against a hardware bug in Intel CPUs that could let attackers exploit security weaknesses and access security keys, passwords, and files cached from a disk. The Register reports that software updates are required for both Windows and Linux systems, and performance of a machine will be affected.
Reports suggest information around the specific bug has been kept confidential between software and hardware vendors, and patches for the Linux kernel include comments that have been redacted to prevent attackers discovering the precise weakness. The security bug could be present on Intel processors manufactured over the past 10 years, meaning many systems will require updates.
Flaw is related to kernel memory access
The exact bug is related to the way that regular apps and programs can discover the contents of protect kernel memory areas. Kernels in operating systems have complete control over the entire system, and connect applications to the processor, memory, and other hardware inside a computer. There appears to be a flaw in Intel’s processors that lets attackers bypass kernel access protections so that regular apps can read the contents of kernel memory. To protect against this, Linux programmers have been separating the kernel's memory away from user processes in what’s being called “Kernel Page Table Isolation.”
The problem with this isolation is that some programmers are reporting performance hits after systems are patched. The Register reports that the slowdowns could be between 5 and 30 percent depending on the exact Intel processor. While Linux patches have been rolling out over the past month, a Windows 10 patch is not yet available. Some are speculating that Microsoft will deliver this in an upcoming Patch Tuesday, as the company started separating the NT kernel memory with Windows 10 beta builds in November. “We have nothing to share at this time,” says a Microsoft spokesperson, in response to a query from The Verge.
It’s still unclear how these patches will affect regular Windows, Mac, and Linux machines. AppleInsider reports that Apple has already deployed a partial fix for the security bug in macOS 10.3.2, which was released last month. Citing multiple sources at Apple and developer Alex Ionescu, who publicly identified code that points to the fix, the report says Apple has mitigated the flaw by altering existing programming requirements related to the kernel memory data in macOS. More changes are expected to come with 10.3.3 soon, AppleInsider reports.
Still, one researcher speculates that virtual machines and cloud providers will be most affected by the security problem and resulting performance hits. Microsoft’s Azure cloud will experience maintenance next week, and Amazon Web Services has warned that a big security update is coming on Friday. AMD has confirmed that its own processors are not affected by this security bug. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” explains Tom Lendacky, an AMD engineer. AMD stocks have soared this morning as a result of Intel’s processor flaw. Intel has not yet publicly commented on the security problem.
Update, 1:30PM ET: Article updated with a statement from Microsoft.
Update, 2:38PM ET: Article updated with information about an Apple fix for the flaw.
If an Intel processor from the last decade is powering your desktop, laptop or other PC, or perhaps servers in your data center, chances are you’re going to have to deal with a new vulnerability and hardware-level chip bug that is currently out in the wild. As Brandon Hill at HotHardware reports, the bug also affects virtually all operating systems from Windows, to Linux and MacOS. Further, and this is perhaps the worst part, the software patch for whatever OS you’re currently running, will bleed off system performance by as much as 30 percent. In data centers, this is a double-edged sword of both security and performance concerns that could result in significant expenditures in man-hour resources to patch systems and potentially affect critical available CPU resources as well.
Dave Altavilla - HotHardware
The bug, which only exists in Intel processors, allegedly allows access to kernel memory data, which is a major security threat vector that could be fairly easily exploited. Software patches, or work-arounds for all operating systems, would require implementing Kernel Page Table Isolation (PTI) mechanisms, which would isolate kernel memory, rendering it inaccessible. Linux patches have already been pushed out by Linus Torvalds himself and Microsoft is expected to issue an update in one of its future Patch Tuesday releases for Windows.
To be clear, these software patches are being released and will apply this fix for all processors, regardless of processor type in the targeted system. In other words, though AMD processors are not effected and are not subject to this vulnerability, applying the patch would regardless also result in possible performance degradation. Thomas Lendacky, a member of the Linux OS group at AMD reports “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.” As such, AMD is currently not recommending patching systems for this Intel bug, though again, it will likely be pushed from OS vendors, regardless.
Some early benchmark testing on Linux systems has already surfaced and indeed performance drop-offs in the area of 18 percent or so, have been observed in IO-intensive operations especially. Further assurances for AMD’s data center EPYC server chips and enterprise Ryzen Pro CPUs, comes by way of the company’s Secure Memory Encryption (SME) technology, which is specifically design to protect against physical memory attacks as well. Shares of AMD were up nearly 6% this morning on news of the Intel bug.
I have reached out to my contacts at Intel and Microsoft for a formal response regarding this issue and will provide updates here as available.
Update - 1/13/2018, 6:19PM EST: Intel has in fact issued a formal response to this specific chip errata and the company has noted that the "average computer user" will be negligibly affected by any software fixes related to this errata, and that any negative performance outcome "will be mitigated over time."
Update - 1/13/2018, 7:29PM EST: A Microsoft spokesperson has also just offered a formal response to this issue as well, noting "We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
The company also asserts that this isn't a flaw, but rather "software analysis methods" that could potentially grab sensitive info from computing devices. It doesn't appear to have the ability to corrupt, delete or modify data, Intel added, although that wouldn't be much comfort if someone took sensitive material. There have been "no instances" of people abusing the vulnerability, Intel chief Brian Krzanich told CNBC.
True to rumors, Intel and other firms had planned to reveal the issue "next week," or just in time for firmware and software updates that would address the problem. It only piped up sooner because it wanted to address reports.
It's not shocking that Intel would try to get ahead of the issue in this way. If this really had been an Intel-specific issue, it would have been a serious blow to a company trying to fend off rising competition from AMD and Qualcomm. At the same time, it's far from reassuring to hear that potential attacks can affect even more systems than first thought, and that few people if any would completely avoid a slowdown (however slight). Like it or not, the device you're using right now is almost certainly affected by this, and certain users (particularly server operators) are bound to notice it.
Update: AMD isn't having Intel's claims that the issue is hardware-independent. In its own statement, it asserted that architecture differences meant that there was "near zero risk" to AMD-made processors. That lines up with the initial report, which referenced communication from AMD suggesting that its processors weren't vulnerable. There's clearly a he-said-she-said dispute going on, and it may be a while before we get the full story. You can read the full statement below.
"Hi - There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected. "To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time."
Update 2: The embargo on the vulnerabilities has expired early, and we now have a clearer idea of what they are. Meltdown is the one at the heart of the issue, and uses speculative execution to break the "fundamental isolation" between apps and the OS in a bid to swipe data. Spectre, meanwhile, uses a similar approach to break walls between otherwise secure apps. In fact, the safety checks of some of those apps actually make them more vulnerable. It's more difficult to exploit Spectre, but it's also more difficult to stop.
Google and Microsoft have already outlined what they're doing. Google says Android phones with the latest security update are safe, as are Google Apps, Google App Engine and smart phone devices like Google Home, Chromecast and Google WiFi. You'll want to invoke a Site Isolation feature on Chrome or Chrome OS, however. Microsoft, meanwhile, has issued a rare off-schedule Windows security update to address the problem.