Alice Bevan–McGregor/Flickr (CC-BY)
All major OS providers are working on patches.
A vulnerability in modern Intel chips is forcing a redesign of the kernel software found on all major operating systems—and it could have a significant impact on the performance of your computer. The mysterious flaw, first reported by the Register, is extremely complicated. We’re going to simplify things so you can understand its consequences and know how to protect yourself.
The issue deals with memory in the kernel, or the central part of an operating system that connects applications with your computer’s hardware. Whenever you run a program on your computer, it needs to switch control of the processor from the user to the kernel so it can carry out a task. It does so thousands of times a day. Needless to say, the kernel is extremely important.
There appears to be a hole in the workings of Intel’s processors that lets attackers use low-privileged processes to read the memory of a kernel that it temporarily stores in a cache. That memory contains sensitive data—like passwords, files, and security keys—that could make it easy for hackers to put malware on your device. And while Intel says it “believes” the exploits do not have the “potential to corrupt, modify or delete data,” being able to spy on that sensitive content could be damaging enough.
Researchers at Google’s Project Zero identified two bugs based on the flaw: Meltdown and Spectre. Both attacks can infect computers, smartphones, and even cloud services that use Intel hardware.
“These hardware bugs allow programs to steal data which is currently processed on the computer,” the researchers wrote. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
The Meltdown bug “allows a program to access the memory, and thus also the secrets, of other programs and the operating system,” while Spectre “allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”
You are almost certainly vulnerable to both of these attacks. Reports claim the flaw affects all x86 Intel CPUs shipped in the last 23 years. Since Intel has a claim on a large majority of the market—nearly 80 percent—almost everyone, from students to engineers, are at risk.
The good news is that Microsoft will address the vulnerability in a software update on Tuesday, Jan. 9 based on changes made in a beta version of Windows. Programmers are working tirelessly to patch the open-source OS Linux. Mac users should also have some comfort in knowing that Apple reportedly issued a partial fix in macOS 10.13.2 and will continue to improve things in 10.3.3. Still, no major operating system is fully protected.
Also, the patch could result in a significant decline in your computer’s performance.
“We’re looking at a ballpark figure of five to 30 percent slow down, depending on the task and the processor model,” the Register reports.
A number of programmers ran benchmark tests before and after the fix. Some tests resulted in a large drop in performance while there were no discernible differences in others.
Intel confirmed the performance differences will depend on what tasks users are performing.
“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” the company said.
It will also depend on the age of the processors. Generally, newer processors are better equipped to handle the patch.
It’s unclear if the kernel problem also affects processors made by AMD, Intel’s biggest rival. AMD engineer Tom Lendacky previously said that “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.” But in a blog post, Intel called out “inaccurate media reports” and suggested processors from other manufacturers are also vulnerable.
“Based on the analysis to date, many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” the post said.
Intel says it’s working with other companies and assured a fix would be released soon.
“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the company said.
Unfortunately, there’s not much you can do to protect yourself except wait for an update from your OS provider and download it as soon as possible—even if that means taking a hit in performance.
Update Jan. 4, 8:56am CT: Microsoft reportedly released an emergency update on Jan 3. that patches the processor bug. The fixes were released outside of Microsoft’s normal Tuesday update schedule, suggesting the company considered it to be urgent. The patch is, for now, only available for Windows 10. To manually update your computer, go to Settings>Update & Security>Check for Updates.
Some Linux patches have also been released, though users are seeing significantly reduced CPU performance.
Update Jan. 4, 8:20pm CT: Apple confirmed in a statement on Jan. 4 that all Mac and iOS devices are affected by the Meltdown and Spectre bugs. The Apple Watch is not affected.
“These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” Apple said.
The company emphasized that users should only download software from “trusted sources such as the App Store.”
Software updates for MacOS 10.13.2, iOS 11.2, and tvOS 11.2 all address the vulnerabilities caused by the bugs, Apple added. Safari users can expect an update “to help defend against Spectre” in the next few days.
Update Jan. 9, 7:42am CT: Speaking at CES 2018, Intel’s chief executive Brian Krzanich said software updates to fix the Spectre and Meltdown bugs will be released in the next few days. He promised 90 percent of processors made in the last five years will be secure within a week. The remaining 10 percent will be patched by the end of January.
“As of now, we have not received any information that these exploits have been used to obtain customer data,” he reiterated. “We’re working tirelessly on these issues to ensure it stays that way.”