A vulnerability in modern Intel chips is forcing a redesign of the kernel software found on all major operating systems—and it could have a significant impact on the performance of your computer. The mysterious flaw, first reported by the Register, is extremely complicated. We’re going to simplify things so you can understand its consequences and know how to protect yourself.
The issue deals with memory in the kernel, or the central part of an operating system that connects applications with your computer’s hardware. Whenever you run a program on your computer, it needs to switch control of the processor from the user to the kernel so it can carry out a task. It does so thousands of times a day. Needless to say, the kernel is extremely important.
There appears to be a hole in the workings of Intel’s processors that lets attackers use low-privileged processes to read the memory of a kernel that it temporarily stores in a cache. That memory contains sensitive data—like passwords, files, and security keys—that could make it easy for hackers to put malware on your device. And while Intel says it “believes” the exploits do not have the “potential to corrupt, modify or delete data,” being able to spy on that sensitive content could be damaging enough.
Researchers at Google’s Project Zero identified two bugs based on the flaw: Meltdown and Spectre. Both attacks can infect computers, smartphones, and even cloud services that use Intel hardware.
“These hardware bugs allow programs to steal data which is currently processed on the computer,” the researchers wrote. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
The Meltdown bug “allows a program to access the memory, and thus also the secrets, of other programs and the operating system,” while Spectre “allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.”
You are almost certainly vulnerable to both of these attacks. Reports claim the flaw affects all x86 Intel CPUs shipped in the last 23 years. Since Intel has a claim on a large majority of the market—nearly 80 percent—almost everyone, from students to engineers, are at risk.
The good news is that Microsoft will address the vulnerability in a software update on Tuesday, Jan. 9 based on changes made in a beta version of Windows. Programmers are working tirelessly to patch the open-source OS Linux. Mac users should also have some comfort in knowing that Apple reportedly issued a partial fix in macOS 10.13.2 and will continue to improve things in 10.3.3. Still, no major operating system is fully protected.
Also, the patch could result in a significant decline in your computer’s performance.
“We’re looking at a ballpark figure of five to 30 percent slow down, depending on the task and the processor model,” the Register reports.
A number of programmers ran benchmark tests before and after the fix. Some tests resulted in a large drop in performance while there were no discernible differences in others.
Intel confirmed the performance differences will depend on what tasks users are performing.
“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” the company said.
It will also depend on the age of the processors. Generally, newer processors are better equipped to handle the patch.
It’s unclear if the kernel problem also affects processors made by AMD, Intel’s biggest rival. AMD engineer Tom Lendacky previously said that “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.” But in a blog post, Intel called out “inaccurate media reports” and suggested processors from other manufacturers are also vulnerable.
“Based on the analysis to date, many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” the post said.
Intel says it’s working with other companies and assured a fix would be released soon.
“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the company said.
Unfortunately, there’s not much you can do to protect yourself except wait for an update from your OS provider and download it as soon as possible—even if that means taking a hit in performance.
You can find more technical details on the flaw in this blog published by Google’s Project Zero and on the Meltdown and Spectre site.