January 4, 2018 // 11:05 a.m.
Full details of the security vulnerability in Intel processors which has had operating system vendors scrambling to patch the hole have now been released under the codename Meltdown, alongside a second related vulnerability which can affect other manufacturers' processors as well: Spectre.
The news of a major security flaw in the hardware of Intel processors broke ahead of schedule through the analysis of patches provided to the Linux Kernel Mailing List. The patches, which introduced a new kernel security feature dubbed Page Table Isolation, were designed to solve an at-the-time unannounced security vulnerability affecting almost Intel processors of the last couple of decades. In doing so, the patches - which have been joined by similar updates for Windows and macOS - reduced the performance of selected server-centric workloads by between five and 35 percent, though Intel claims standard consumer workloads will see a far smaller performance hit of between zero and two percent.
With the cat out of the bag, Intel, AMD, Arm, and Google - the company whose Project Zero security programme first discovered the flaw - have gone public, and in doing so have likely wiped the smile off the face of anyone running a non-Intel chip: Although the original vulnerability, Meltdown, is Intel-specific, a related vulnerability known as Spectre is known to be exploitable across parts from all three companies.
'Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,' Intel has said of the flaw. 'Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.'
AMD, meanwhile, has admitted that one of the three vulnerability variants - a version of Spectre - can be exploited on its own hardware, though the other two are claimed to have 'not been demonstrated on AMD processors to date' and represent '[no] vulnerability due to AMD architecture differences.' The first, vulnerable, variant - a bounds check bypass - will be resolved through operating system patches, the company has stated, with 'negligible performance impact expected.'
Arm, meanwhile, has confirmed that the use of the vulnerable speculative execution performance-boosting technique from which Spectre gets its name means that its Cortex-A IP, found in smartphones, tablets, and a variety of high-performance embedded devices, is vulnerable, though its lower-power Cortex-M family is not.
Google's release on the vulnerability, penned by Project Zero's Jann Horn, has technical details on the three variants: Bounds check bypass and branch target injection, which form the cross-vendor Spectre, and rogue data cache loading, which forms the Intel-specific Meltdown attack. Of the three, Meltdown is the easiest to exploit, but its cross-vendor nature means that Spectre is the most concerning and wide-reaching.
Patches for Windows and Linux have already been released, though Microsoft warns that selected anti-virus products will prevent the patch from being installed and, worse, that the patch cannot be installed on a system with no anti-virus present - the default for the company's server products. A partial patch is already available in the latest macOS, with a fuller patch in testing for public release. Google's Android, meanwhile, is secure as of the latest Security Release - though third-party vendors often lag considerably behind when it comes to rolling these into their own Android variants and providing them to end users.
More details on the vulnerabilities, including white papers for both Meltdown and Spectre, are available on the official website. Intel head Brian Krzanich, meanwhile, is being faced with questions over his sale of the maximum Intel shares allowable by law after the company was informed of the Meltdown vulnerability but before it was made public knowledge.