Tech giants scramble to fix critical Intel chip security flaw
(Image: file photo)
A design flaw in Intel chips has triggered a massive and coordinated response by tech giants to issue critical patches.
The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems. Many cloud services running Intel-powered servers are also affected.
But details of the vulnerability remain largely under wraps as a result of an embargo to let tech companies patch their software and cloud servers.
Intel isn't able to fix the design flaw, forcing operating system and software makers to step in.
Incoming patches are expected to prevent attackers from exploiting the chips' design flaw, but have prompted concern that chip performance will be degraded as a result, potentially slowing down home and work computers, as well as cloud services that host popular sites and services.
Intel also did not respond to a request for comment prior to publication, but in a statement denied that the exploits were not caused by a "bug" or a "flaw."
"Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits," said Intel. "Intel believes these exploits do not have the potential to corrupt, modify or delete data."
AMD chips are not thought to be affected by the vulnerabilities. ARM told news site Axios prior to this report that some of its processors, including its Cortex-A chips, are affected.
Spokespeople for AMD and ARM did not immediately return an email for comment.
Microsoft is said to be planning to release patches on its usual Patch Tuesday update schedule, this month slated for January 10. (Windows Insiders on the fast-ring already received the patches in November.)
Apple reportedly patched the flaw in macOS 10.13.2. A spokesperson did not respond to a request for comment.
Patches for Linux systems have been posted privately; although, some developers are said to be frustrated that the comments describing the fix for the open-source software have been redacted to prevent details of the bug from leaking.
Microsoft and Amazon have announced scheduled downtime of their cloud services in the coming days, but did not say if it was relating to the bug or not.
Spokespeople for Microsoft and Amazon, when reached, did not immediately comment.
News of the bug first emerged Tuesday when tech site The Register reported that several tech companies are working to fix the vulnerability. On Wednesday, security researcher Erik Bosman tweeted proof-of-concept code.
The bug was described as early as July by Anders Fogh, whose write-up documented his atempts to read kernel memory from user mode.
The flaw is said to allow attackers to exploit ordinary apps to gain access to highly sensitive and protected areas of memory. A worst-case scenario is a low-privileged user on a vulnerable computer could run JavaScript code on an ordinary-looking web page, which could then gain access to the contents of protected memory.
The Linux fix will use kernel page table isolation (KPTI) to separate the kernel's memory from user-level processes. That separation is more time-consuming, making the process and computer slower.
The UK's National Cyber Security Center said in a statement that there is "no evidence of any malicious exploitation and patches are being produced for the major platforms."