Faced with reports that a “major” security flaw has been discovered in millions of Intel processors sold over the past decade, Intel today responded to the claims, framing the issue as security exploits affecting “many different vendors’ processors” and requiring an “industry-wide approach to resolve this issue promptly and constructively.” Due to the nature of the exploits, OS kernel-level patches are apparently needed, and in some cases are expected to noticeably diminish performance of many computers worldwide.
Intel’s response concedes that the exploits “have the potential to improperly gather sensitive data from computing devices that are operating as designed,” but notes that the company “believes these exploits do not have the potential to corrupt, modify or delete data,” if that provides anyone with any degree of comfort. The response notes that “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available,” but rushed the statement to address “current inaccurate media reports.”
Despite Intel’s statement on shared exposure, researchers have said that the exploits impact “virtually all” Intel-based machines, including consumer PCs, enterprise computers, and cloud servers. According to LWN.net, equivalent patches are also being readied for ARM processors, though the extent to which ARM-based devices can be compromised is unclear. An AMD engineer has suggested that the company’s chips are not affected, claiming that “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.” In a statement, AMD confirmed that, saying its processors are not affected in two of three variants suggested by Google, and that a software fix can address the third variant. Google issued the following post on the security issue, as its Project Zero team discovered the flaw last year.
On the software side, Intel notes that “several operating system vendors” are working on solutions; to that end, separate reports have suggested that Apple, Microsoft, and developers of Linux distributions are all actively readying critical kernel-level patches to address the flaw, including the technique AMD mentioned, “kernel page-table isolation” (KPTI). The patches work by relocating the secured memory area away from the insecure memory used by programs.
As noted by The Register, KPTI fixes presently slow down certain processes by 5 to 30 percent, though a given computer’s performance hit will depend on its specific processor, tasks, and operating system. Synthetic benchmarks published by Phoronix show an over 40 percent performance cut on I/O functionality with an Intel i7-8700K processor, but less than 10 percent impact during the same test with an i7-6800K chip. Video encoding and gaming performance do not appear to be affected by early fixes.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63
— Alex Ionescu (@aionescu) January 3, 2018
Patches to address the issue have already been released for some Linux distributions and beta versions of Windows; the Windows 10 patch is expected to debut next Tuesday as part of Microsoft’s monthly patch schedule. Linux developers are being warned that performance regressions are likely.
Apple is reportedly patching macOS to address the issue, as well. Following a new tweet this afternoon from Alex Ionescu, who previously tweeted about KPTI and Windows, AppleInsider cited unnamed sources within Apple as confirming that the current version of macOS (10.13.2) mitigates the kernel issue, with additional unspecified changes planned for the upcoming 10.13.3 release. According to AppleInsider, “Early indications are that there are no notable slowdowns between a system running macOS High Sierra 10.13.1 and 10.13.2.” We have reached out to Apple for additional details and will update this article with anything the company offers.