A massive, mysterious security flaw in Intel CPUs is forcing a redesign of the kernel software at the heart of all major operating systems, The Register is reporting. Since the issue lies directly in Intel’s x86-64 hardware, Windows, Linux, and Mac all need to protect against it. Processors from other companies may also be affected. And worse, it appears that plugging the hole will negatively affect your PC’s performance.
It’s hard to dive too technically into the issue, as major hardware and software vendors are working together quietly to fix the kernel issue before making the vulnerability public. But The Register’s reporting and comments on patch code coming in hot to the Linux kernel—with details redacted to obscure the exact nature of the vulnerability—give us insight into issue.
Here’s a high-level look at what we know so far about the Intel CPU kernel bug affecting Linux, Windows, and presumably Macs. Expect it to be updated repeatedly as the problem becomes more clear.
Intel processor kernel bug FAQ
Editor’s note: This article was most recently updated to include comments from an Intel statement about the kernel exploit and its performance concerns throughout.
Give it to me straight—what’s the issue here?
The bug in play here is extremely technical, but in a nutshell, the chip’s kernel is leaking memory, which could lead to extremely sensitive data being exposed to apps and hackers, or make it easier for attackers to inject malware into your PC.
Intel says that “these exploits do not have the potential to corrupt, modify or delete data,” though simply being able to read the contents of protected kernel memory could give attackers access to your passwords, login keys, and much more.
What’s a kernel?
The kernel inside a chip is basically an invisible process that facilitates the way apps and functions work on your computer. It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It’s there, and no normal being can see it, yet they can pray to it.”
How do I know if my PC is at risk?
Short answer: It is. There isn’t any concrete data yet, but speculation is that the bug affects all Intel x86 CPUs produced over the past 10 years, regardless of the OS you’re running or whether you have a desktop or laptop. There are some reports that say newer Intel CPUs are less impacted than older ones, but the full extent is unclear.
A Linux kernel patch is also being prepared for 64-bit ARM processors. Details are murky, though a statement from Intel says that “many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits.”
So if it’s a chip problem, then Intel needs to fix it?
Yes and no. While Intel (and any other affected CPU manufacturers) will surely address the problem in future chips, the fix for PCs in the wild needs to come from the OS manufacturer, as a microcode update won’t be able to properly repair it.
Linux developers are working furiously to address the flaw in a new kernel update. Microsoft is expected to patch the problem during its Patch Tuesday updates on January 9, after testing it on recently released Windows Insider preview builds. That timeline appears to have been corroborated by Intel’s statement, which says, “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”
I use a Mac, so I’m OK, right?
Not this time. The vulnerability here affects all Intel x86 chips, so that means Macs are at risk too. However, Apple quietly protected against the exploit is macOS 10.13.2, which released on December 6, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says.
So, what can I do?
Not much besides updating your PC when a fix becomes available. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive. Definitely make sure you’re running security software in the meantime—advice that Intel also stresses.
Do you know when a fix will come?
Linux developers are working furiously to address the flaw in a new kernel update. Expect it soon.
Microsoft is expected to patch the problem during its Patch Tuesday updates on January 9, after testing it on recently released Windows Insider preview builds. That timeline appears to have been corroborated by Intel’s statement, which says, “Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available.”
With macOS High Sierra, it seems as though Apple is already working on the issue. As noted above, a developer discovered a patch already exists in macOS 10.13.2.
So once the fix arrives then I’m good?
Well, the patch will plug the risk, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.
How much slower will my Intel PC become?
More recent Intel processors from the Haswell (4th-gen) era onward have a technology called PCID (Process-Context Identifiers) enabled and are said to suffer less of a performance hit. Plus, some applications—most notably virtualization tasks and data center/cloud workloads—are affected more than others. The Register says “we’re looking at a ballpark figure of five to 30 percent slow down, depending on the task and the processor model.” Intel confirmed that the performance loss will be dependent on workload, and “should not be significant” for average home computer users.
“Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.
“It will depend heavily on the hardware too,” he continued. “Older CPUs without PCID will be impacted more by the isolation. And I think some of the back-ports won’t take advantage of PCID even on newer hardware.”
Michael Larabel, the open-source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.
Your mileage will indeed vary, it seems. Keep in mind that Phoronix’s testing was conducted on a non-final release, and that the Linux and Windows kernels are two very different beasts, so don’t treat these as a locked-in look at what to expect from the eventual fixes for the Intel x86 kernel bug. We won’t know the full extent of the slowdown on Windows and macOS machines until a patch lands.
Will my games get slower?
Maybe not. Phoronix also tested Dota 2, Counter-Strike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, and The Talos Principle on a Linux 4.15-rc6 machine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change outside the margin of error range.
None of those run on Microsoft’s DirectX technology though, which integrates deeply with the Windows operating system. It remains to be seen how DX games perform in the wake of the forthcoming patches.
Are AMD processors affected?
It doesn’t appear so. In a message to the Linux Kernel Mailing List, AMD’s Tom Lendacky asked for Linux’s “Kernel Page Table Isolation” (KPTI) fix to not apply to Team Red’s processors.
“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” he wrote. “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”
AMD CPUs could potentially wind up suffering a performance hit as collateral damage, though. It depends on how the final patches for the Intel CPU kernel bug vulnerability are implemented. Operating system makers could code in exceptions for AMD processors to keep them at full speed, as Lendacky requested for the Linux kernel. But operating system vendors may also take a salted earth approach and force the fix onto all x86 processors just to be safe.
Again, we won’t know which approaches are taken until the patches are made public. The performance war between Intel’s chips and AMD’s new Ryzen CPUs may get even tighter, though.
That sucks! There’s nothing I can do!?
We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.