Today the tech world has been abuzz over reports that Intel CPU's, going back years and multiple architecture generations, are suffering from a major security vulnerability with acute ramifications in the enterprise sector.
The flaw centres around how Intel CPUs perform speculative writing of data to protected memory; writes are correctly blocked, but information on the state of the protected data may be leaked in the process. In essence, this could theoretically allow a process with low 'user'-level security privileges access to high 'supervisor'-level data, something that absolutely isn't allowed in current models of CPU security. A excellent detailed breakdown is laid out at Arstechnica's article on the subject.
Following reports that Operating System vendors are issuing emergency patches at the kernel level to remove specific functionality connected to the vulnerability, Intel have released the following statement on the matter:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
The research's findings highlight ongoing issues with a single vendor supplying critical components to most of an industry, i.e. a weakness being near-monopolies persisting in the market. However few would have expected Intel to be vulnerable in quite this catastrophic fashion. The fallout will almost certainly be significant: initial Linux Kernel Page Table Isolation (KPTI) patches to work around the vulnerability are suggested to cost between 5% and 30% performance, depending on workload, with large virtual machine enterprise solutions being particularly affected.
For AMD's part, it's believed that their architecture in unaffected by the flaw as they do not perform the speculative write across multiple levels of security, and subsequent OS updates should restore lost functionality (and hence performance) to their CPUs. Although bugs exist in all CPUs, at the moment it appears that only Intel's designs are affected by this particular problem (making Intel's statement a little disingenuous).
While consumer PCs will be automatically patched on Windows 10, it's currently seen as unlikely that this will significantly impact your average home user. For enterprise customers however the consequences could be severe, pushing many into the waiting arms of ARM and AMD.
SOURCE: Intel Statement, Arstechnica