Serious design flaw 'affects all Intel chips from the last decade'

But an OS-level fix could drastically affect device performance - report

A serious design flaw reportedly present in all Intel's CPUs made in the last 10 years could leave devices vulnerable to hackers, requiring an operating system (OS) update in order to fix it.

The flaw allegedly affects all systems running Intel x86 chips and is present across all popular operating systems, including Windows, Linux, and macOS, but is currently under embargo, meaning the full details of the bug are yet to be officially announced. 

Advertisement - Article continues below

The bug allows normal user programs, such as database applications and JavaScript in web browsers, to distinguish some of the layout or contents of protected kernel memory areas of the chips, according to The Register, which uncovered the vulnerability.

However, the major problem for users is that a patch to the flaw will actually cause significant declines in performance for the affected machines, the publication said. These slow-downs could impact performance by as much as 30%, depending on the task and the processor model, but they're reportedly still being benchmarked.

The full details of the bug are expected to be revealed later this month. Microsoft is also expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday this month, after seeding them to beta testers running fast-ring Windows Insider builds in November and December.

Advertisement
Advertisement - Article continues below

A software developer who runs a popular Tumblr called Python Sweetness, has blogged about the potential trouble this flaw could cause once it's made official. They warned that "from everything I've seen, including the vendors involved, many fireworks and much drama is likely" when the embargo lifts. 

Advertisement - Article continues below

"In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer," they explained.

"I would not be surprised if we start 2018 with the release of the mother of all hypervisor privilege escalation bugs, or something similarly systematic as to drive so much urgency, and the presence of so many interesting names on the patch set's CC list."

An Intel spokesperson said that "many different vendors and operating systems" are vulnerable to the bug.

They added: "Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. 

"Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied."

Picture: Bigstock

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Visit/laptops/34623/how-to-connect-one-two-or-more-monitors-to-your-laptop-including-usb-type-c
Laptops

How to connect one, two or more monitors to your laptop

29 Jun 2020