A security flaw in Intel processors has led to a redesign of Linux and Windows kernels. Programmers have been busy for the past two months patching the Linux kernel’s virtual memory system to protect against a hardware bug in Intel CPUs that could let attackers exploit security weaknesses and access security keys, passwords, and files cached from a disk. The Register reports that software updates are required for both Windows and Linux systems, and performance of a machine will be affected.
Reports suggest information around the specific bug has been kept confidential between software and hardware vendors, and patches for the Linux kernel include comments that have been redacted to prevent attackers discovering the precise weakness. The security bug could be present on Intel processors manufactured over the past 10 years, meaning many systems will require updates.
The exact bug is related to the way that regular apps and programs can discover the contents of protect kernel memory areas. Kernels in operating systems have complete control over the entire system, and connect applications to the processor, memory, and other hardware inside a computer. There appears to be a flaw in Intel’s processors that lets attackers bypass kernel access protections so that regular apps can read the contents of kernel memory. To protect against this, Linux programmers have been separating the kernel's memory away from user processes in what’s being called “Kernel Page Table Isolation.”
The problem with this isolation is that some programmers are reporting performance hits after systems are patched. The Register reports that the slowdowns could be between 5 and 30 percent depending on the exact Intel processor. While Linux patches have been rolling out over the past month, a Windows 10 patch is not yet available. Some are speculating that Microsoft will deliver this in an upcoming Patch Tuesday, as the company started separating the NT kernel memory with Windows 10 beta builds in November. “We have nothing to share at this time,” says a Microsoft spokesperson, in response to a query from The Verge.
It’s still unclear how these patches will affect regular Windows, Mac, and Linux machines. AppleInsider reports that Apple has already deployed a partial fix for the security bug in macOS 10.13.2, which was released last month. Citing multiple sources at Apple and developer Alex Ionescu, who publicly identified code that points to the fix, the report says Apple has mitigated the flaw by altering existing programming requirements related to the kernel memory data in macOS. More changes are expected to come with 10.13.3 soon, AppleInsider reports.
Still, one researcher speculates that virtual machines and cloud providers will be most affected by the security problem and resulting performance hits. Microsoft’s Azure cloud will experience maintenance next week, and Amazon Web Services has warned that a big security update is coming on Friday. AMD has confirmed that its own processors are not affected by this security bug. “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” explains Tom Lendacky, an AMD engineer. AMD stocks have soared this morning as a result of Intel’s processor flaw. Intel has not yet publicly commented on the security problem.
Update, 1:30PM ET: Article updated with a statement from Microsoft.
Update, 2:38PM ET: Article updated with information about an Apple fix for the flaw.