Evidence is mounting that many of the biggest companies in the IT industry are working together to rush out a number of patches to their respective products because of a massive security hole that has been identified in all Intel CPUs released over at least the past decade. Security researchers and industry professionals have posted to their blogs as well as to threads on Reddit, 4chan and Hacker News, regarding sudden and unusual changes to the Linux kernel, as well as the fact that they are being committed under embargo with redacted comments. Simultaneously, Microsoft is said to be working to push out similar patches.
The issue said to be due to a flaw with Intel processors that cannot be addressed with an update by Intel, thus requiring everyone else to work around it. According to The Register, which has compiled and cross-referenced multiple reports, the flaw potentially allows programs to access areas of system memory used by an operating system’s kernel when it is called into action by another program. This is thanks to the use of shortcuts that let software quickly exchange data and instructions with the kernel inside its own memory space. Programs are supposed to be isolated from one another to prevent them from accessing each other’s sensitive data but these shortcuts are suspected of bridging that divide, potentially exposing passwords and encryption keys. Patches would restrict the kernel to its own protected memory space and force programs to hand off control completely while the kernel is in play.
The immediate effect of the patches that are expected to be released would be a reduction of performance, which industry watchers are estimating would be between 5 percent and 30 percent. Most heavily affected would be virtualisation environments, which depend heavily on the ability for hardware and software to work together in isolating virtual machines from each other and from the host system. In addition to OS vendors, Amazon’s EC2, Google’s Compute Engine, and other infrastructure providers are said to be involved and are planning their own mitigation measures.
The secrecy could be necessary in order to prevent specifics of the flaw becoming widely known, allowing for easy exploitation. While ordinary home and office PC users aren’t the biggest targets for malware distributors, is highly unlikely that every PC and embedded device with an Intel processor will be able to be patched, and insecure systems are likely to be in use around the world for decades to come.
According to industry insiders weighing in on the matter, AMD processors are not affected by the flaw but it is unclear whether patches will be able to allow them to continue working the way they do. It is speculated that the improved kernel security will be implemented through blanket measures causing performance to degrade on AMD processors as well.
So far, Intel has not made any comment, most likely to prevent malicious actors from getting a head start on their inevitable exploits. However, it will have to disclose exactly what the flaw is and which products are affected as soon as it is ready to go public. A lot of what is known at the moment is speculation and educated guesswork, but it looks as though more thorough disclosure will be made in the near future. While experts are stopping short of describing the situation as panic, it seems clear that people are working furiously behind the scenes to get these patches released quickly.