02:55 PM
Connect Directly

Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows

As-yet undisclosed design flaw in Intel processors has OS programmers working on kernel updates that reportedly could slow performance.

A design flaw in Intel microprocessors has Linux and Microsoft Windows developers reworking their kernels to defend against exploitation of the security bug.

Details of the flaw have not yet been made public, and Intel and Microsoft have remained mum about the chip design flaw, which was first reported by The Register this week. The report said Microsoft is expected to issue updates for Windows in next week's Patch Tuesday batch, while Linux developers have been openly working on fixes online. According to the report, the OS updates ultimately could slow performance of the systems, in some cases by five- to 30%. Newer Intel processors aren't as susceptible to a performance impact, the report said.

Renowned security expert Dan Kaminsky says without the details of the flaw out yet, it doesn't make sense to theorize about its ramifications. "I think we shouldn't speculate until the bug is disclosed," Kaminsky says. "Clearly, the notable part of this is whatever it is can't be addressed in microcode."

Intel had not responded to press inquiries as of this posting, and Microsoft declined to comment.

The flaw - which reportedly affects processors in millions of computers - could allow applications, including JavaScript in a Web browser, to read protected areas of the kernel memory. 

The kernel is designed to separate "userland" from sensitive kernel areas "so that userland programs can't take over from the kernel itself and subvert security, for example by launching malware, stealing data, snooping on network traffic and messing with the hardware," wrote Sophos security analyst Paul Ducklin in a post today.

The new Linux patch will isolate the kernel memory from the user process via the so-called Kernel Page Table Isolation, KPTI. 

"This security fix is especially relevant for multi-user computers, such as servers running several virtual machines, where individual users or guest operating systems could use this trick to “reach out” to other parts of the system, such as the host operating system, or other guests on the same physical server," Ducklin explained.

The risk of attack on appliances or endpoints such as a laptop appears to be low, he said, because an attacker would have to run code on the targeted machine to exploit it.

"On shared computers such as as multiuser build servers or hosting services that run several different customers’ virtual machines on the same physical hardware, the risks are much greater: the host kernel is there to keep different users apart, not merely to keep different programs run by one user apart," Ducklin said. 

Intel has been under the security microscope several times in the past year, starting with its May 2017 disclosure of a critical privilege-escalation bug in its Active Management Technology (AMT) firmware used in many Intel chips that affected AMT firmware versions dating back to 2010. It's up to hardware OEMs to update their platforms with Intel's fix.

The AMT vulnerability, discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. The flaw allows an attacker to remotely delete or reinstall the operating system on a vulnerable system, or control the mouse and keyboard, for instance. 

Last fall, Intel patched a vulnerability in its microprocessors  that could be used by an attacker to burrow deep inside a machine and control processes and access data - even when a laptop, workstation, or server is powered down. Researchers from Positive Technologies first discovered the flaw, a stack buffer overflow bug in the Intel Management Engine (ME) 11 system that's found in most Intel chips shipped since 2015. ME, which contains its own operating system, is a system efficiency feature that runs during startup and while the computer is on or asleep, and handles much of the communications between the processor and external devices.

And now the Intel design flaw, the details of which remain a mystery. "This flaw has existed for years and has been documented about for months, at least, so there is no need to panic; nevertheless, we recommend that you keep your eyes out for patches for the operating systems you use, probably in the course of January 2018, and that you apply them as soon as you can," Sophos' Ducklin advised.

The flaw also reportedly affects cloud services such as Amazon EC2, Microsoft Azure, and Google Compute Engine. "Amazon just sent a notice about a major security update and EC2 is scheduled to reboot this Friday," said Chris Morales, head of security analytics at Vectra. "If the Azure and Amazon reboots are related to the Intel flaw, it would demonstrate how far reaching the impact is. A phrase like 'the cloud is rebooting' is not something that anyone has had to say before, and it reminds me of the kind of far reaching impact that Y2K was feared to have had."

Related Content:


Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/17/2018 | 2:12:14 PM
Re: ...and what about IG followers for Apple's?
I've been listening for the other shoe to drop, too. 

One the one side, exploiting these vulnerabilities seems to require a sophisticated, targeted, attack - indicating a high-value target, and stealth.  On the other, there is a window that will close, as more and better mitigations/solutions are developed and applied - so if they are going to leverage these vulnerabilities, they have to move quickly. 

What attackers could be after is not a quick score, but the prerequisites for a big score at some point in the future.  Could be we won't see signs of a significant exploitation unless and until forensics from that future hit point back to access and assets gained now. 
User Rank: Apprentice
1/16/2018 | 4:17:46 PM
Re: ...and what about IG followers for Apple's?
Has ANYONE reported an actual threat that uses these exploits?  Seems like this is still pretty theoretical at the moment.  It also looks like some facncy assembler code will be needed to exploit these vulnerabilities, or am I just not getting it?
User Rank: Strategist
1/16/2018 | 2:36:47 PM
Re: ...and what about IG followers for Apple's?
Well, there were different mentions from different blogs. Can you please tell me where did you found those sentences at?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/4/2018 | 10:20:18 AM
Re: ...and what about Apple?
We'll be reporting more on this today, including about Apple. Stay tuned! thanks.
User Rank: Strategist
1/4/2018 | 10:09:07 AM
...and what about Apple?
I'd expect some mention of Apple.  In other blogs, I saw a few sentences that said Apple had mitigation underway. Please finish the story!
CISOs' No. 1 Concern in 2018: The Talent Gap
Dawn Kawamoto, Associate Editor, Dark Reading,  1/10/2018
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
AI in Cybersecurity: Where We Stand & Where We Need to Go
Raffael Marty, VP Security Analytics, Sophos,  1/11/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.