Windows and Linux to Patch Major Intel Chip Flaw

January 3, 2018 CyberCecurity 1 Comment

UPDATE: Google’s Project Zero released information about the flaw and attacks as reports and speculation escalated (see here). Reporters, including this one, are just learning the details of this. An FAQ about the attack, which says that it affects Intel, AMD and ARM processors is available here. It does, they say, affect every microprocessor made since 1995.

Microsoft released an emergency patch overnight and Amazon announced that they have completed patching all but a small number of machines, which will be patched in the next few hours. Expect more announcements over the next days.

Keep in mind that attackers will have to figure out how to weaponize this, but applying this patch should be considered critical.

The big tech news of the day is that Microsoft and the Linux community are about to release major patches to both environments including all supported versions of both to cover a known problem in the Intel x-64 environment. For Linux users, you will need to make sure that the particular distribution that you are running has the patch. I assume but do not know that Microsoft will patch all supported operating systems back down to Windows 7.

Intel made some design decisions years ago to combine the operating system kernel and the user’s code into a combined environment to make it quicker to provide operating system services to user programs.

The details of the bug have been embargoed until the Windows and Linux patches have been released. Apple released their MacOS patch (10.13.2) in mid December. Still, reverse engineering betas of the Linux code is giving folks at least a partial idea of the problem.

Several years ago operating system vendors implemented a feature called address space layout randomization or ASLR, sometimes called KASLR for Kernel ASLR. ASLR randomizes where operating system modules are placed in memory in order to make it harder for attackers to jump to places in the operating system to do their dirty work.

Unfortunately, it appears, the bug allows programs, from web browsers to databases to read the kernel memory. IF it is possible for user programs to access the operating system kernel memory, they could find passwords, among other things. They could also read the tables used for ASLR, effectively totally neutering that technology.

Given all this and possibly more, the patch becomes critical.

For enterprises and end users, installing these patches quickly is important because as of today, hackers are likely thinking about how to abuse your systems.

A couple of more things.

The question came up whether Intel could patch the microcode to fix this. The answer, apparently, was no. This was a fundamental design flaw.

Also, apparently, it required major effort on the part of Windows and Linux developers. So much so that they were tempted to name it Forcefully Unmap Complete Kernel With Interrupt Trampolines. You can figure out what the acronym for that would be.

Oh yeah, there was a reason that Intel did things the way that they did – PERFORMANCE. This performance change will cause a performance decrease of from 5% to 30% depending on the chip family. This means that the patches have to be coded differently for different chip generations. The performance hit will especially hit cloud providers like Google Compute Engine and Amazon EC2.

Finally, since this is a problem with Intel’s chip implementation, it does not affect servers with AMD processors in them.

I assume that Intel will fix this in the next generation of chips, but then we will have to add yet another hack to look to see if this is a new chip with the instructions implemented differently and code that again differently. What a mess. Shades of the Intel 486 Divide problem. At least that could be fixed by updating the microcode in the chip.

This one is a big deal!

Information for this post came from The Register.