Update 5:30pm: Intel held a press conference Wednesday afternoon after this was published, and several researchers released a lot more details about these issues. That story is here.
The companies and organizations responsible for maintaining operating systems designed for Intel’s x86 chips are pulling out all the stops this week to patch a critical security flaw, yet nobody is ready talk about it.
The Register reported Tuesday that patches were being finalized for Windows and Linux operating systems after the discovery of an embarrassing bug within Intel chips that could let a malicious hacker access areas of the chip that are supposed to be off-limits. It’s not clear exactly what happened, or exactly what is needed to fix the flaw, because the companies and groups involved aren’t talking about it yet; security patches are often handled quietly in hopes of avoiding those bent on exploiting the flaws with criminal intent.
The problem, however, is being widely discussed on Twitter. Intel’s stock fell more than six percent in morning trading before recovering a bit, while AMD — which told The Register its x86 chips are not affected by this problem — enjoyed a nearly 10 percent boost.
So that's proof of concept for the #IntelBug. That's potentially game over for every Intel processor manufactured in the last 10 years, slowdowns could be between 5 and 30% after patching, https://t.co/ISyWWqOPkq. https://t.co/LS76vWZ6ln
— Alasdair Allan (@aallan) January 3, 2018
Amazon Web Services began notifying customers in December that it would have to reboot their EC2 instances — its core computing cloud service — on Friday to patch their systems, and the impact of that downtime could be significant. Microsoft is expected to address the issue in its next round of Patch Tuesday updates; a representative for the company declined to comment. Representatives for AWS and Google did not immediately respond to a request for comment.
While it’s still not clear exactly how substantial this chip flaw is, the speed and relative secrecy of the effort to develop a fix speaks volumes. It’s a complicated problem; modern operating systems written for Intel chips expected the chip to be able to prevent code from executing in the protected area, and they’re now having to write code themselves to allow their operating systems to route around that flaw. And whenever you touch the basic code at the heart of something as complex as a modern operating system, you risk a cascade of new problems caused by that altered code, no matter how much testing you conduct.
I can only imagine how annoying so much speculation is to the poor souls that actually have to manage the public disclosure 🙄
— jessie frazelle (@jessfraz) January 3, 2018
This is quite a widespread problem: the flaw is believed to impact Intel chips as many as ten years old. Intel’s chips run more than 90 percent of the servers used to provide cloud services and in-house infrastructure, and the installed base of those chips is massive.
Security experts believe the patches will cause some degree of performance loss, although opinions varied quite a bit on exactly how much slower we should expect our systems to get. PC and Mac users might not notice, but companies running critical applications on cloud-based hardware or on-premises machines choose their configurations based on the amount of performance they expect from that system.
Let's be a bit cautious about presuming to know the impact of the X86 page table vulnerability. This is pretty clearly a big deal, but the right people have been working on it. They're not the kind who would blithely ship a 30% across the board perf hit.
— Dan Kaminsky (@dakami) January 3, 2018
I’ll follow up with more details if and when anyone is willing to talk in more detail about this problem, and if you have information please contact me below.
Update 12:15pm: Intel has released a statement saying that the problem isn’t unique to its chips, but that it does affect Intel chips and that the company is working with a number of other organizations to patch the issue. The company said patches and more information should be available next week.
At least one security expert was skeptical of Intel’s claim, as was Cloudflare CEO Matthew Prince, who buys a lot of servers to maintain Cloudflare’s anti-DDoS services.
"Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect." is wrong, it's at worst a KASLR bypass on other manufacturers, not a kernel memory read like Intel here.
— Longhorn (@never_released) January 3, 2018