(Cyberscoop) -- The flaw, which affects most Intel processors built over the last 10 years, allows commonly used programs to read the contents or layout of a computer’s protected kernel memory areas. That area can contain passwords and other fundamentally sensitive files hidden from other software. In a worst-case scenario, some JavaScript in a web browser could be used to seek out and find some of a machine’s most sensitive data.
Intel released a statement on Wednesday afternoon saying that the bug is not unique to Intel products and that “many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.” Intel’s statement explicitly denies that the exploits can corrupt, modify or delete data but says nothing about the ability to read or access data — which is really the focus of the discussion so far.
The forthcoming patches to Linux, Windows and MacOS will result in degraded performance to a number of machines. On various securityand hardware message boards, users reported a performance reduction between 5 percent and 30 percent. That drop-off would disproportionately hurt the vast majority of data centers and cloud infrastructure running Intel chips.
Details around the security flaw remain sparse. Although the issue is just coming into public view, it’s been widely known in security-centric corners of the tech industry for at least the past several months and possibly longer. The problem was first thoroughly outlined earlier this week in a software developer’s blog post and then further detailed by The Register.
The public embargo is expected to lift soon and Microsoft is expected to patch Windows in a forthcoming Patch Tuesday. Urgent work has been going on to fix the issue since at least October, the company said. Patches for the Linux Kernel are available now, but the details remain obfuscated.
The fix requires a fundamental redesign of the operating system kernel, the software that manages a machine’s resources. It’s meant to be nearly all-powerful and all-secure. This flaw renders it plainly vulnerable across platforms.
It’s hard to find a company using any sort of technology that wouldn’t be affected by this disclosure. Most importantly, cloud computing companies like Amazon, Microsoft and Google look like they’ve been working on a fix for a long time. The three companies did not respond to requests for comment.
Both Microsoft and Amazon recently warned customers to expect major security work and maintenance within the next week. Fixing the issue requires either major software patches or replacing old chips with new ones that lack the flaw.
The United Kingdom’s National Cyber Security Centre issued a statement Wednesday saying it was aware of the flaw but had not seen criminals leverage the vulnerability for any sort of malicious activity.
“At this stage there is no evidence of any malicious exploitation and patches are being produced for the major platforms,” the statement reads. “The NCSC advises that all organisations and home users continue to protect their systems from threats by installing patches as soon as they become available.”
The U.S. Computer Emergency Readiness Team (U.S.-CERT) has not issued any bulletins related to the flaw as of this article’s publication.
(Photo: Flickr user lungstruck // CC-BY-2.0)