#PatchTuesday
A Major Security Vulnerability Has Plagued Intel Chips Since 1995
A vulnerability discovered by security researchers in Intel processors manufactured over the last twenty-three years is poised to wreak havoc on the world of computing. And the patch? Well, it might not be pretty.
The researchers who discovered the vulnerabilities, called “Meltdown” and “Spectre,” said that “almost every system,” since 1995, including computers and phones, are said to be affected by the bug. The researchers also verified their findings on Intel chips dating back to 2011 and released their own proof-of-concept code to allow users to test their machines.
“Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine,” according to the research paper.
Intel said that it would issue its own microcode updates to address the issue, and over time some of these fixes will be rolled into hardware.
Microsoft is issuing a rare out-of-band security update to supported versions of Windows yesterday. The update will also be available for older and supported versions of Windows, but systems running operating systems like Windows 7 or Windows 8 won’t automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated.
Google, too, issued its own statement on which of its products could be affected: These include Chrome and Android phones, though the latter will depend on how quickly phone makers roll out updates.
According to developer Alex Ionescu, Apple introduced a fix in December in macOS 10.13.2, with additional tweaks set to be introduced in macOS 10.13.3, currently in beta testing. AppleInsider also says that it has heard from “multiple sources within Apple” that updates made in macOS 10.13.2 have mitigated “most” security concerns associated with the KPTI vulnerability.
The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle pic.twitter.com/S1YJ9tMS63
— Alex Ionescu (@aionescu) January 3, 2018
And while the vulnerability can be patched on the OS level (patches for the Linux kernel are already available even though the notes try to tap dance around the true nature of the issue).
The firmware updates and software patches could cause some systems to run slower. Sources familiar with the situation say that Intel processors that are based on Skylake or newer architecture won’t see a significant performance degradation. However, older processors could slow down more significantly due to the firmware and software updates.
Intel says any slowdowns will be “workload-dependent,” but the company has not expanded on how this will affect older machines.
Pardon has been a technology enthusiast his entire life and has spent the better part of last decades in information technology and security, and he writes with an aim to remove some of the "mysticism" from the cyber world. He’s the Editor at Techunzipped. Away from the keyboard, you're likely to find him playing with the latest gadgets or the latest Game.
