Hours after reports spread about design flaws in Intel processors that could have compromised an enormous number of computers, the chip maker and security researchers released details about two vulnerabilities that will keep security consultants in business for years.
Researchers at Google and several universities published the results of the findings, discovered last June, that surface two previously unknown vulnerabilities that could affect nearly every modern microprocessor. One of them, known as Meltdown, appear to be a problem that mostly affects Intel, while the other, known as Spectre, affects both PC and mobile chip makers.
Both vulnerabilities can be exploited through a newish technique called “side-channel analysis,” said Steve Smith, corporate vice president and general manager for Intel’s data center engineering group, in a hastily arranged conference call for institutional investors after Intel’s stock fell almost eight percent on early reports before rebounding later in the day.
Side-channel analysis is “a method for an attacker who uses this exploit to observe the contents of privileged memory in a way that circumvents the normally expected privilege levels in the processor,” Smith said. Processors are supposed to work with a computer’s operating system to restrict access to protected areas where sensitive data is stored, but this method gets around the current protections and could allow attackers to read sensitive data.
This technique could also allow attackers to gain access to multiple virtual machines running on a single server, a particular concern for users of cloud services, who are often sharing a single server with other cloud users through virtual machines. “Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host,” Google wrote in a blog post detailing the findings.
Meltdown, the issue that primarily affects Intel chips, can be fixed with a software patch. But security researchers raised concerns that the patches could significantly hamper system performance, since the operating system is now being asked to do something that it was designed to assume was the chip’s job.
Intel tried to downplay performance concerns on its conference call, saying that most workloads shouldn’t see significant issues but acknowledging that “other workloads that spend a lot of time going back between the application and operating system” could see up to a 30 percent reduction in performance after installing the patches, said Ronak Singhal, director of CPU computing architecture at Intel, during the call.
The other technique unveiled Wednesday, called Spectre, appears to be a fundamental processor architecture design that “is harder to exploit than Meltdown, but it is also harder to mitigate,” researchers said. No comprehensive patch for Spectre exists at the moment, but current systems can be defended with patches against specific exploits already identified.
Despite the fact that the researchers verified Spectre can work on chips from AMD, Intel’s long-time wannabe foil in the chip market, the company insisted its processors were not subject to the same risks as Intel’s chips. “Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time,” the company said in a statement.
ARM, which designs the processor cores at the heart of nearly every smartphone on the planet, said its Cortex-A cores are affected by Spectre but the Cortex-M cores found in embedded and internet-of-things devices are not affected. It directed customers that license its cores to examine their designs and determine if software patches are needed.
Intel was also very careful to note that its affected processors were “acting as they were designed to operate,” Smith said, which means Intel doesn’t plan to recall affected processors as it has in the past for chips with a dysfunctional component. A recall of that many systems could have had an untold financial impact on the world’s largest chip maker.
That means it falls to cloud vendors and operating system providers to starting patching. Here are their plans.
- Amazon Web Services: “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.”
- Microsoft: “The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required. With the public disclosure of the security vulnerability today, we are accelerating the planned maintenance timing and will begin automatically rebooting the remaining impacted VMs starting at 3:30pm PST on January 3, 2018.”
- Google: “The issue has been mitigated in many Google products (or wasn’t an issue in the first place). In some instances users and customers may need to take additional steps to ensure they’re using a protected version of a product,” which is usually a reboot in most cases listed here.
All of this information was apparently supposed to come out next week, but a report from The Register on Tuesday and a proof-of-concept exploit tweeted Wednesday forced the companies involved to disclose their plans. As a result, that means security researchers will need some time to pore over the disclosures and patches to get a better understanding of the exact risks involved with these vulnerabilities.
For now, whether you’re a PC user or a system administrator responsible for hundreds of servers, install the patches. Consumers likely have very little to worry about assuming they update their systems, but this could be the start of a big problem for cloud vendors and those managing large-scale on-premises data centers if new exploits based on Spectre are discovered or performance issues require them to upgrade to a more expensive configuration.