Update, 1/3/18, 1:00pm PT: Intel has responded to the reports and disputes claims of a bug.
According to recent reports, Intel and ARM processors suffer a serious hardware-level vulnerability that the vendors cannot patch via a microcode update. Addressing the vulnerability requires a significant retooling of operating systems, in particular Windows, Linux, and macOS, which reportedly causes up to a 30% reduction in performance in some workloads.
However, that number is likely overblown for the majority of applications. The overall impact of the performance regression and the specific programs impacted are poorly defined. As with many pre-release security patches, the details surrounding the bug are under NDA for now, but we expect an official update from Intel soon. Both Microsoft and Linux already have patches in the pipeline. AMD's exposure to the bug remains undefined, with some reports indicating the company's processors are immune and others stating that some models are impacted.
Prease to read more here:
Somewhere in the press I read on this today there was a reference to speculative execution as being involved. That gives a me a queasy twinge that this might eventually resemble the long series of buffer overflow exploits, which somehow continued years after the general nature of the vulnerability was well known.
In simple terms, speculative execution involves the processor executing instructions before it actually knows it is going to need to. Like prefetching memory into cache, this is done in an attempt to gain performance by getting ahead of the game. Apparently there are cases, however, where on current implementations running current OS and applications it can allow security loopholes. Ugh.
It has been revealed that virtually all Intel processors that launched in the past decade have a significant chip-level security flaw that could result in certain content - which could include passwords - in protected kernel memory being accessed by malicious code. The problem is so pervasive that it cannot be fixed with a simple patch, but requires an OS-level overwrite of the kernel.
The security flaw, which is baked in on Intel's x86/x64 hardware, is under heavy embargo due to its nature and the risk involved. However, from what could be ascertained by The Register, it has to do with how Intel processors manage kernel executions. Whenever a program needs to execute a command or do anything at all, the processor hands over control to the kernel. To make sure this switching back and forth is executed as fast as possible, the kernel remains in all processes' virtual memory address spaces, even after the processor switches back to user mode. This negated the need for the system to dump cached data, and reload information from memory.
Prease to read more here:
Developers scramble to fix bug within chips made in the last decade that will affect millions of computers running Windows, macOS and Linux
Fixes for the Intel flaw should be available at the end of the week, but implementing them is expected to slow down computers. Photograph: Beawiharta/Reuters
A security flaw has been found in virtually all Intel processors that will require fixes within Windows, macOS and Linux, according to reports.
Developers are currently scrambling behind the scenes to fix the significant security hole within the Intel chips, with patches already available within some versions of Linux and some testing versions of Windows, although the fixes are expected to significantly slow down computers.
The specific details of the flaw, which appears to affect virtually all Intel processors made in the last decade and therefore millions of computers running virtually any operating system, have not been made public.
But details of the fixes being developed point to issues involving the accessing of secure parts of a computer’s memory by regular programs. It is feared that the security flaw within the Intel processors could be used to access passwords, login details and other protected information on the computer.
The Wall Street Journal's article on this matter contained a link to a Google page which I suggest people look at who are interested in what is going on at the detail level.
There is rather a lot of posturing going on, with both ARM and Intel spokesmen pointing out that the hardware is doing what was intended, so this is not a "bug". Obviously these spokesmen are using a much less broad notion of what should be called a bug than I'd like.
AMD is busy saying "not me", or at least, "not me so bad as those other guys". Really, the main reason AMD is less likely to be an important part of data center impacts is that they have such a tiny fraction of the current data center market share. The Google document makes plain that AMD parts allow exploits of this general class.
One interesting point is that the Google document states that they alerted Intel, AMD, and ARM of this class of problems on June 1, 2017. So people posting claims that this whole matter is five years old or more are conflating something else.
terms | privacy | contactCopyright © 2006-2020