Kernel flaw forces Linux, Windows redesign

[DelJo63]

Excerpt from TheRegister.co.uk:

A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday.

...

Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated – the flaw is in the Intel x86-64 hardware

The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI

These KPTI patches move the kernel into a completely separate address space, so it's not just invisible to a running process, it's not even there at all. Really, this shouldn't be needed, but clearly there is a flaw in Intel's silicon that allows kernel access protections to be bypassed in some way.

The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the computer.

Your Intel-powered machine will run slower as a result.
​

Recommend reading the original article for more details.

​

 

[DelJo63]

BTW:
combined in two attacks, named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

NB:- Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995."

This clearly indicates that although the exposure has been long lived, the reality is that existing exploits are extremely low - - Nill?

 

[DelJo63]

BleepingComputer has a good read for desktop users and getting the MS updates:

To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.​

​

What does this mean?​

It means that if you go to the Windows Update section of your Windows operating system and you press "Check for updates," if something comes up, you're safe to install it.​

​

Windows update packages (KB numbers) are available here. A different KB number will appear, depending on your operating system and hardware platform.​

​

If nothing comes up, that means Windows has detected the presence of an incompatible anti-virus (AV) application on your system.​

​

This Google Docs file contains a list of the responses from some AV companies.

 

[MirekFe]

BleepingComputer has a good read for desktop users and getting the MS updates:

To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.
What does this mean?
It means that if you go to the Windows Update section of your Windows operating system and you press "Check for updates," if something comes up, you're safe to install it.

Windows update packages (KB numbers) are available here. A different KB number will appear, depending on your operating system and hardware platform.

If nothing comes up, that means Windows has detected the presence of an incompatible anti-virus (AV) application on your system.
​

This Google Docs file contains a list of the responses from some AV companies.

Thanks for the information, jobeard.
I have lots of friends and relatives who use Windows, so I'll forward them your thread.