Update: Intel Confirms Security Problem
Reports have been bubbling up this week that vendors and open source teams are hustling under embargo to fix a major security flaw affecting Intel processors over the last decade. The rumored software fix could seriously slow down both personal systems and public clouds.
Here's the top of The Register's report from Tuesday night:
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.
Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.
Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features -- such as PCID -- to reduce the performance hit. Your mileage may vary.
The next Patch Tuesday is Jan. 9. Microsoft also sent out warnings to some users that their Azure Virtual Machines would undergo an unusual reboot for security and maintenance on Jan. 10, and Amazon Web Services (AWS) e-mailed users of a maintenance reboot on Jan. 5-6, The Register noted. Officially, all the vendors are declining comment.
Patch Tuesdays are always mark-the-date events for IT, but this flaw is looking more like an all-hands-on-deck situation -- both for the security issues and then for the potential of subsequent and permanent performance problems.
UPDATE: Intel released its first statement on the issue Wednesday afternoon, confirming a serious security problem and a fix timeframe for next week, but pushing back partially on the performance hit and on reports that the problem only affected Intel chips. Here's the statement:
Intel Responds to Security Research Findings
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Posted by Scott Bekker on 01/03/2018 at 4:02 PM