Massive security flaw found in Intel CPUs, patch could hit performance by up to 30%

[midian182]

Almost every Intel processor manufactured over the last decade contains a major security flaw that could be exploited in severe attacks. If that isn’t bad enough, patching the issue might slow down the performance of a CPU by up to 35 percent.

Update #1: A full update on the flaws dubbed Meltdown and Spectre can be read here.

Update #2: With an emergency fix for Windows 10 already out, we've conducted a set of tests to measure the impact this update has on performance for desktop users, if any at all.

The exact details of the vulnerability have been placed under an embargo to give Intel time to work on a fix. According to The Register, the flaw could allow normal user programs to see some of the content of protected kernel memory areas, which means any malicious programs might be able to read information like passwords, login keys, files cached from disk, and more.

“Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data,” wrote The Register.

As the problem is within the Intel x86-64 hardware, it can’t be fixed with a microcode update; instead, an OS-level fix is required for the affected operating systems, which includes Windows, Linux, and macOS.

The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, causing the system to slow down by five to 30 percent, “depending on the task and processor model.”

These KPTI [Kernel Page Table Isolation] patches move the kernel into a completely separate address space, so it’s not just invisible to a running process, it’s not even there at all. Really, this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon that allows kernel access protections to be bypassed in some way.

The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel’s overhead, and slows down the computer.

Your Intel-powered machine will run slower as a result.

It seems companies that use virtualized environments are the biggest targets for those looking to exploit the vulnerability. "There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine,” wrote Python Sweetness. Microsoft, Amazon, and Google are all working on fixes set to be implemented over the next week.

For everyday users, it's possible the patches won’t have much of an impact on everyday usage and gaming frame rates. Additionally, future fixes should have less of an effect on performance.

Intel rival AMD has already used the vulnerability as a way of promoting its processors, which it says aren’t affected due to their extra security protections.

“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” wrote Thomas Lendacky, a member of the Linux OS group at AMD. “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

Permalink to story.

https://www.techspot.com/news/72550-massive-security-flaw-found-almost-all-intel-cpus.html

 

[Evernessince]

Apparently this has been known since at least November but Intel has been keeping things quiet till now. Smart move by Intel to rake in all those Christmas sales and to cash in on businesses using up the rest of their budget for tax purposes before they learn about this.

I have no idea if Intel is liable for the reduced performance here, but it is certain that this is going to cost cloud and datacenter companies bundles of cash as they will have to make up that lost performance.

 

[noname]

CVE-2017-5925 Class: Design Error since 2017/02/07

 

[ThrakazogZ]

End of year sales aside, the top execs also needed time to sell off their stock (not unlike the Equifax execs did) before making this public. It was already noticed, in December by market watchers, that Intel's CEO sold every bit of stock he legally could. That's a decent indicator of how bad this might be.

 

[fadingfool]

Doesn't look good for intel - whilst gaming benchmarks may not have much of a hit (according to preliminary tests) how many of us have nothing else running on a clean OS build (if the background processes are severely hit - up 30% estimated this could cause latency issues) . Embargo is lifted in a few days but I think my next build will definitely be AMD.

 

[senketsu]

CVE-2017-5925 Class: Design Error since 2017/02/07

A Google search for "CVE-2017-5925 Class: Design Error" took me to a nice National Institute
of Standards and Technology National Vulnerability Database that gives tech folk more details. Unbelieveable that this was known (as @noname points out) as early as 27 Feb 2017. I don't understand most of this page, but when I see stuff like:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
my morale falls into my shoes, my jaw hits the floor....gobsmacked as they say
Overused word, but this truly is unbelieveable

 

[SamuraiSamson]

I don't run any sensitive programs using my PC, just the usual games. Will it be possible to bypass the fix in the next Windows update? Personally, I would rather take the increased security risk than pay a performance penalty.

 

[enemys]

Apparently this has been known since at least November but Intel has been keeping things quiet till now. Smart move by Intel to rake in all those Christmas sales and to cash in on businesses using up the rest of their budget for tax purposes before they learn about this.

I have no idea if Intel is liable for the reduced performance here, but it is certain that this is going to cost cloud and datacenter companies bundles of cash as they will have to make up that lost performance.

Actually, most of the information passed in today's news has been publicly available for at least two months, it's just the pass-the-news-over-and-over-again-to-spread-panic-machine that started this week on a lot of tech websites.

 

[enemys]

Doesn't look good for intel - whilst gaming benchmarks may not have much of a hit (according to preliminary tests) how many of us have nothing else running on a clean OS build (if the background processes are severely hit - up 30% estimated this could cause latency issues) . Embargo is lifted in a few days but I think my next build will definitely be AMD.

Unless your workload involves a lot of syscalls (e.g. heavy networking or intense mass storage I/O, like in database servers or video rendering), you won't notice a damn thing, because most software relatively rarely enters kernel mode - and the switches between modes are the only thing that will get slower.

I don't run any sensitive programs using my PC, just the usual games. Will it be possible to bypass the fix in the next Windows update? Personally, I would rather take the increased security risk than pay a performance penalty.

I don't think so, but you probably won't see any real performance penalty. It will be there for some computations, but most of the time it will be unmeasureable (next to none) or unnoticable (within a couple percent).

 

[BSim500]

Will it be possible to bypass the fix in the next Windows update? Personally, I would rather take the increased security risk than pay a performance penalty.

I agree about having the choice but it probably depends on your version of Windows. W10 is almost certainly going to be forced, whereas you can avoid it with W7 by disabling Windows Update service and simply installing patches manually. If that's the case, then for non-critical low-risk gaming machines, a lot of us still sticking to W7 are going to feel even less guilty about our "luddite-ness"...

 

[PetrolHead]

Those that game on Linux may be interested to know that the fix can be disabled with the "nopti" kernel boot option.

 

[Burty117]

I wonder if we're about to see a "Coffeelake v2" that doesn't have the said flaw in it's core architecture

 

[fadingfool]

Doesn't look good for intel - whilst gaming benchmarks may not have much of a hit (according to preliminary tests) how many of us have nothing else running on a clean OS build (if the background processes are severely hit - up 30% estimated this could cause latency issues) . Embargo is lifted in a few days but I think my next build will definitely be AMD.

Unless your workload involves a lot of syscalls (e.g. heavy networking or intense mass storage I/O, like in database servers or video rendering), you won't notice a damn thing, because most software relatively rarely enters kernel mode - and the switches between modes are the only thing that will get slower.

I don't run any sensitive programs using my PC, just the usual games. Will it be possible to bypass the fix in the next Windows update? Personally, I would rather take the increased security risk than pay a performance penalty.

I don't think so, but you probably won't see any real performance penalty. It will be there for some computations, but most of the time it will be unmeasureable (next to none) or unnoticable (within a couple percent).

I expect a bit hit on our SQL databases - hopefully get year end out of the way before the update and latency may become an issue during gaming especially on heavily threaded workloads.

 

[Pragyan]

Yeah!!! AMD FTW!!!
Intel WTF?!!
Cmon can I not exert little bit of my unbiased fandom?

 

[jared reabow]

"If that isn’t bad enough, patching the issue might slow down the performance of a CPU by up to *35 percent*."
"causing the system to slow down by five to *30 percent*"

Some quality fact-checked information here.....

 

[Puiu]

"If that isn’t bad enough, patching the issue might slow down the performance of a CPU by up to *35 percent*."
"causing the system to slow down by five to *30 percent*"

Some quality fact-checked information here.....

There is no actual fact-checking that can be done (yet). Some tests have even shown hits of over 60% in certain limited tests/workloads/system configs.

Here's a few things people should understand:
- this won't affect many day to day workloads in mainstream PCs, but you might see things like javascript getting hit by it or software that need to use the virtual memory (not sure if browsers as a whole will be affected since they have many security features that rely kernel ring restrictions and access to virtual memory).
- I don't know if games will be affected, but some anticheat/DRM solutions might.
- If you are a developer and you run VMs then you'll find that some things will indeed run slower.

There are a lot of unknowns about this bug since the Linux patches that are currently public have the comments redacted/censored. More details will be given in a few weeks after MS and Linux devs update the kernels (we have no idea about MacOS and how and when they will fix this). Rumors say that the latest fast builds from windows 10 already include an early version of the patch.

@Steve I know you guys are working on some A/B tests for this. I just hope you include as many generations of CPUs and some lower end CPUs too. (are server CPUs even possible to include?) This will require massive amounts of researching so good luck. It seems you'll be traveling in that patch release window too.

 

[dj2017]

And because Intel knows how to $$$$influence$$$$ everything, the patch treats AMD CPUs like they also have the bug.

 

[Ira Wechsler]

And because Intel knows how to $$$$influence$$$$ everything, the patch treats AMD CPUs like they also have the bug.

That is utter nonsense. The fix will not be installed on AMD cpus. Windows has AMD directories where AMD drivers and processor enhancements are installed NO Intel directories exist in an AMD windows installation.

 

[Misagt]

Yeah!!! AMD FTW!!!
Intel WTF?!!
Cmon can I not exert little bit of my unbiased fandom?

I would enjoy the moment. I've always enjoyed AMD and this is interesting. I was actually planning on building a new PC over Christmas but the timing wasn't right. I had finally settled on building going Intel. But I think I might have to change direction and go back to AMD.

 

[Vulcanproject]

Big news, although the fact it has been kept very low key for quite a while suggests Intel have probably been working on a solution. I guess it depends how serious it is and under what circumstances it would actually be exploitable.

 

[Urgelt]

I don't run any sensitive programs using my PC, just the usual games. Will it be possible to bypass the fix in the next Windows update? Personally, I would rather take the increased security risk than pay a performance penalty.

No.

I mean, you could isolate your computer from the internet and prevent all future updates. But Microsoft isn't going to leave a vulnerability unpatched, even if the patch slows the computer down. So if you leave your computer connected, the patch is going in. There are no decisions for users to make.

But it's not a big deal for you if you're just gaming with your rig. The big impacts should be data-intensive, not compute-intensive. Which means mostly data centers are going to take an instant hit when the patch goes in. The internet itself will slow, though it's anyone's guess if it'll be noticeable by the average user. Gaming and bitcoin mining and other compute-intensive tasks will slow down when the patch goes in, too, but the impact should be at the low end of the estimated impact range.

For most people, their CPUs are mostly idle anyway. If you're running challenging AAA titles on your rig, you'll most likely be constrained by your GPU, not your CPU. Some gamers are still using 4th gen CPUs with a late-model GPU and are doing just fine with it.

You really should welcome the patch. You *think* that you're just gaming, but if you use your credit card for internet transactions, or use your home address to have stuff shipped to you, or subscribe to newspapers or web sites requiring passwords, or do your banking or pay bills on-line, or reveal your political leanings in e-mails or blog comments, or any number of other common uses, malicious hackers would love to see your data. They can make money off of it and inconvenience you to no end.

 

[copasetic]

And because Intel knows how to $$$$influence$$$$ everything, the patch treats AMD CPUs like they also have the bug.

That is utter nonsense. The fix will not be installed on AMD cpus. Windows has AMD directories where AMD drivers and processor enhancements are installed NO Intel directories exist in an AMD windows installation.

The news and public are the most likely to treat this like AMD has the bug, IF they notice the severity of this patch. "Better safe than sorry," so goes the FUD machine. Most "end users" don't even have a clue what CPU is inside their machines...or what a CPU is. Remember, for many people. a computer is a TOOL used to do something ELSE. If they do, most likely will assume intel. "AMD makes processors? I thought they only did video cards..." Some people still think the screen is the computer/CPU, or that the box down there under the desk is the CPU. Still more of those also don't usually read tech news (like this article), or skip the comments (Like I almost did).

 

[SeekerJBP]

Hmmmm... Looking at the NIST page, they list some AMD CPUs also. So maybe not just Intel is hit by this.

https://nvd.nist.gov/vuln/detail/CVE-2017-5925#VulnChangeHistoryDiv

 

[Per Hansson]

A Google search for "CVE-2017-5925 Class: Design Error" took me to a nice National Institute
of Standards and Technology National Vulnerability Database that gives tech folk more details. Unbelieveable that this was known (as @noname points out) as early as 27 Feb 2017. I don't understand most of this page, but when I see stuff like:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
my morale falls into my shoes, my jaw hits the floor....gobsmacked as they say
Overused word, but this truly is unbelieveable

It's almost like if you say worked at Intel, maybe being it's CEO and knew about this since February 2017, that you'd be interested in some insider trading?

https://www.nystocknews.com/2017/12...ling-889878-shares-in-intel-corporation-intc/

https://www.reuters.com/finance/stocks/insider-trading/INTC.O?symbol=&name=Krzanich+(Brian+M

https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx

 

[SeekerJBP]

CVE-2017-5925 Class: Design Error since 2017/02/07

A Google search for "CVE-2017-5925 Class: Design Error" took me to a nice National Institute
of Standards and Technology National Vulnerability Database that gives tech folk more details. Unbelieveable that this was known (as @noname points out) as early as 27 Feb 2017. I don't understand most of this page, but when I see stuff like:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
my morale falls into my shoes, my jaw hits the floor....gobsmacked as they say
Overused word, but this truly is unbelieveable

If you read towards the bottom of that page, it lists some AMD CPUs also.