Home / Component / CPU / OS makers are scrambling to fix Intel CPU design flaw that allows kernel access

OS makers are scrambling to fix Intel CPU design flaw that allows kernel access

(Update 04/01/18): Intel has released a statement over the security concerns raised below. It seems that this may not be an issue unique to Intel’s own CPUs and any performance impacts will be mitigated over time. You can find more details HERE.

(Original Story 03/01/18): This week it has emerged that a design flaw in Intel’s CPUs is causing a major security bug, forcing OS makers to make design changes to kernels in order to fix. The bug is present in Intel CPUs produced over the last decade and since a microcode update won’t do the trick, it’s up to the likes of Microsoft, Apple and Linux Distros to fix it themselves, which will lead to a negative impact on performance.

According to the folks at The Register, this chip-level security flaw affects Linux macOS and Windows, leaving programmers scrambling to issue a patch. Currently, Microsoft is expected to publicly introduce the necessary changes to Windows in an upcoming Patch Tuesday. However, it will bring in a performance hit, with the ballpark figure being somewhere between five and 30 percent depending on the processor model and what task you are performing.

xintel_core_pentium_devil_s_canyon_lga1150_haswell1-e1462209059105.jpg.pagespeed.ic_.tt5SI80FbO.jpg

The security flaw is found in Intel x86-64 hardware and unfortunately it seems that a microcode update from Intel won’t be able to fix it. This means OS makers will need to fix the issue themselves. Specific details of the vulnerability are currently under embargo, with a public announcement expected this month following the necessary patches.

What we do know is that the bug is present in Intel CPUs produced over the last decade. It allows access to the contents of protected kernel memory areas via normal user processes and applications. To fix this, OS makers need to separate the kernel’s memory completely from user processes. So going forward, when a program needs to do something, it will take longer for the CPU to access the kernel, get the job done and switch back to user mode, which is where the performance hit comes in.

Where does this leave AMD? Well over Christmas AMD sent the following message to the Linux kernel mailing list, stating that its own processors are not affected by this bug: “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

Fundamentally, this bug acts as a security flaw on Intel powered systems. In a best case scenario, it could be used by cyber attackers to exploit other security bugs more easily. In a worst case scenario, it could allow for someone to read the contents of the kernel’s memory, which is usually hidden and can contain all sorts of data, ranging from login keys, files cached from disk, passwords etc.

Intel has already been in contact with OS makers to get the ball rolling on a fix, so expect to hear more about this soon when patches start rolling out for Windows, Linux and macOS.

KitGuru Says: This is a bad scenario for Intel and its customers to find themselves in, particularly given that the main fix will have a negative impact on performance. We’ll keep an eye out for any further updates to this story.

Check Also

SK Hynix is now making its 8-gigabit GDDR6 memory available

Hot in the heels of Samsung’s 16-gigabit GDDR6 announcement last night, SK Hynix has also …

  • Nikolas Karampelas

    I would like to see some short of “re-review” once the update is in place with as many cpu’s as possible so we can have a clear view on the cpu landscape.
    Especially since most intel cpu refreshes are in the scale of 5-10% per generation, this sound like a big deal. I want to know if my i3 in my gaming system will get a big hit for example, maybe if it does I will risk staying without the update.

  • Important info required – what about recently launched and upcoming CPUs?

  • Mike O’Brien

    I think I know what it is! I write device drivers, in fact I am working in that area right now. I have been openly critical of it’s misuse for some time. Projects were started to fix this problem but ran out of funding. This could affect what I am working on now too. I can’t see why in the longer term that a fix that will not impact performance, could not be found. Certainly short term fixes could impact performance. If it is what I am thinking, then the blame is firmly down to CPU, Motherboard and O/S vendors. Although a lot of the criticism was not aimed at the security aspect. It was still an area of chaos that needed them to take the lead. Maybe they will listen to us more in future. I will also avoid that update on my personal machines. As I have been aware of it for years.

  • CNFUZD

    It would seem the newer (later generation) your cpu, the less of a hit you’ll take, though it depends on what tasks you’re actually performing.

  • CNFUZD

    Linux already rolled out a ‘fix’ and it seems the performance hit is mostly in tasks involving encryption, compiling etc., whereas rendering and gaming are much less affected. Of course, once again, on linux, we dont know exactly what the windows fix will do.

  • Nikolas Karampelas

    I guess then that amd will extend the new year’s eve celebrations for a couple of days 😛

  • Peter

    karma is a b***, there she goes in full power, for all the years of intel being a unfair,deceitful competitior..

  • CNFUZD

    Sadly enough, it would seem that the first fix on windows would be ‘indiscriminate’ and hit amd just as well. Whether they’ll bother to finetune it later we just don’t know of course. I read somewhere that there is, however, a workaround that’ll allow you to ‘undo’ the fix manually. I’m sure Kitguru will keep us up to date on all that 😀

  • Doug Nichols

    It would be cool if Kitguru could rebenchmark the intel best sellers i5-6500, i-7700k etc from the last few years and see if there really is a performance drop. Particularly in what functions and are all chips affected roughly the same

  • Nikolas Karampelas

    hm… this is a problem, I was thinking of letting my gaming rig (and the i3) just out of the update, but if this affects amd even if their cpus doesn’t have the bug, I need to see what to do with my workstations that use amd cpus.
    They are work machines so it is not easy for me to just skip the update there too.

  • CNFUZD

    If I understood right, you should be able to manually disable the fix for this particular issue without disabling anything else in the patch. I’m not a specialist though and just read that while i was skimming several threads on the issue, so don’t take my word for it, but it sure would be worth looking into.

  • evolucion8

    Another reason to be happy with my Ryzen 1700 purchase lol, now about to get rid from my i7 powered Alienware laptop.

  • Billy Dyson

    Windows update can tell what hardware a system has. They could just only push it out to intel based systems

  • CNFUZD

    yeah … could. MS though … 😛

  • Rocky40

    This is pretty bad if it means 5%-30% performance loss depending on what you are doing or software you are running. I know they won’t do it but it would be great if it is left up to the end user if they want to install this patch or not. I know my choice would be to not have it installed if it means my system will get a bit slower.

    I overclock for a reason and that is to extract as much performance as I can out of what ever system I am running. I do not like the idea of losing performance because someone was to stupid to fix the problem 10 years ago and just let it slide. I am sure AMD is gonna be happy about this if it means their Ryzen’s get slightly scores up against Intel’s offerings.

    I know I will also be doing the disabling of this patch when some good soul finds out how to turn it off. With Windows 10 we have very little control on what Windows update does to our systems these days since MS thinks they can do what ever they want because they gave Windows 10 away for a full year.

  • David Howell

    Server workloads seem to be the worst affected from what I gather? That would make this an epic win for EPYC.

  • MakeConstantinopleEuropeanAnew

    AMD is affected as well.

  • NNB

    Windows update can tell what hardware a system has. They could just only push it out to intel based systems