Intel this afternoon addressed reports of a serious design flaw and security vulnerability in its CPUs, shedding additional light on the issue that was uncovered yesterday and has since received extensive media coverage.
In a statement on its website, Intel says that it planned to disclose the vulnerability next week when additional software patches were available, but was forced to make a statement today due to “inaccurate media reports.”
According to Intel, the issue is not limited to Intel chips and the exploits in question do not have the potential to corrupt, modify, or delete data. Despite Intel’s statement, Intel chips are more heavily impacted, and it’s worth noting that Intel makes no mention of reading kernel level data.
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel says it is working with several other technology companies including AMD, ARM, and operating system vendors to “develop an industry-wide approach” to resolve the problem “promptly and constructively.”
As outlined yesterday, the design flaw appears to allow normal user programs to see some of the contents of the protected kernel memory, potentially giving hackers and malicious programs access to sensitive information like passwords, login keys, and more. Fixing the issue involves isolating the kernel’s memory from user processes using Kernel Page Table Isolation at the OS level.
Despite reports suggesting software fixes for the vulnerability could cause slowdowns of 5 to 30 percent on some machines, Intel claims performance impacts are workload-dependent and will not be noticeable to the average computer user.
Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel goes on to say that it believes its products are “the most secure in the world” and that the current fixes in the works provide the “best possible security” for its customers. Intel recommends that users install operating system updates as soon as they are available.
For Mac users, Apple has already addressed the design flaw in macOS 10.13.2, which was released to the public on December 6.