Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:55 PM
Connect Directly

Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows

As-yet undisclosed design flaw in Intel processors has OS programmers working on kernel updates that reportedly could slow performance.

A design flaw in Intel microprocessors has Linux and Microsoft Windows developers reworking their kernels to defend against exploitation of the security bug.

Details of the flaw have not yet been made public, and Intel and Microsoft have remained mum about the chip design flaw, which was first reported by The Register this week. The report said Microsoft is expected to issue updates for Windows in next week's Patch Tuesday batch, while Linux developers have been openly working on fixes online. According to the report, the OS updates ultimately could slow performance of the systems, in some cases by five- to 30%. Newer Intel processors aren't as susceptible to a performance impact, the report said.

Renowned security expert Dan Kaminsky says without the details of the flaw out yet, it doesn't make sense to theorize about its ramifications. "I think we shouldn't speculate until the bug is disclosed," Kaminsky says. "Clearly, the notable part of this is whatever it is can't be addressed in microcode."

Intel had not responded to press inquiries as of this posting, and Microsoft declined to comment.

The flaw - which reportedly affects processors in millions of computers - could allow applications, including JavaScript in a Web browser, to read protected areas of the kernel memory. 

The kernel is designed to separate "userland" from sensitive kernel areas "so that userland programs can't take over from the kernel itself and subvert security, for example by launching malware, stealing data, snooping on network traffic and messing with the hardware," wrote Sophos security analyst Paul Ducklin in a post today.

The new Linux patch will isolate the kernel memory from the user process via the so-called Kernel Page Table Isolation, KPTI. 

"This security fix is especially relevant for multi-user computers, such as servers running several virtual machines, where individual users or guest operating systems could use this trick to “reach out” to other parts of the system, such as the host operating system, or other guests on the same physical server," Ducklin explained.

The risk of attack on appliances or endpoints such as a laptop appears to be low, he said, because an attacker would have to run code on the targeted machine to exploit it.

"On shared computers such as as multiuser build servers or hosting services that run several different customers’ virtual machines on the same physical hardware, the risks are much greater: the host kernel is there to keep different users apart, not merely to keep different programs run by one user apart," Ducklin said. 

Intel has been under the security microscope several times in the past year, starting with its May 2017 disclosure of a critical privilege-escalation bug in its Active Management Technology (AMT) firmware used in many Intel chips that affected AMT firmware versions dating back to 2010. It's up to hardware OEMs to update their platforms with Intel's fix.

The AMT vulnerability, discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. The flaw allows an attacker to remotely delete or reinstall the operating system on a vulnerable system, or control the mouse and keyboard, for instance. 

Last fall, Intel patched a vulnerability in its microprocessors  that could be used by an attacker to burrow deep inside a machine and control processes and access data - even when a laptop, workstation, or server is powered down. Researchers from Positive Technologies first discovered the flaw, a stack buffer overflow bug in the Intel Management Engine (ME) 11 system that's found in most Intel chips shipped since 2015. ME, which contains its own operating system, is a system efficiency feature that runs during startup and while the computer is on or asleep, and handles much of the communications between the processor and external devices.

And now the Intel design flaw, the details of which remain a mystery. "This flaw has existed for years and has been documented about for months, at least, so there is no need to panic; nevertheless, we recommend that you keep your eyes out for patches for the operating systems you use, probably in the course of January 2018, and that you apply them as soon as you can," Sophos' Ducklin advised.

The flaw also reportedly affects cloud services such as Amazon EC2, Microsoft Azure, and Google Compute Engine. "Amazon just sent a notice about a major security update and EC2 is scheduled to reboot this Friday," said Chris Morales, head of security analytics at Vectra. "If the Azure and Amazon reboots are related to the Intel flaw, it would demonstrate how far reaching the impact is. A phrase like 'the cloud is rebooting' is not something that anyone has had to say before, and it reminds me of the kind of far reaching impact that Y2K was feared to have had."

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Strategist
1/4/2018 | 10:09:07 AM
...and what about Apple?
I'd expect some mention of Apple.  In other blogs, I saw a few sentences that said Apple had mitigation underway. Please finish the story!
<<   <   Page 2 / 2
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...