A design flaw in Intel chips has triggered a massive and coordinated response by tech giants to issue critical patches.
The vulnerability affects operating systems and devices running on Intel processors developed in the past decade, including Windows, Macs, and Linux systems. Many cloud services running Intel-powered servers are also affected.
But details of the vulnerability remain largely under wraps as a result of an embargo to let tech companies patch their software and cloud servers.
Intel isn’t able to fix the design flaw, forcing operating system and software makers to step in.
Incoming patches are expected to prevent attackers from exploiting the chips’ design flaw, but have prompted concern that chip performance will be degraded as a result, potentially slowing down home and work computers, as well as cloud services that host popular sites and services.
Intel also did not respond to a request for comment prior to publication, but in a statement denied that the exploits were not caused by a “bug” or a “flaw.”
“Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits,” said Intel. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
AMD chips are not thought to be affected by the vulnerabilities, but the researchers warned that it’s “unclear” if AMD and ARM chips, typically found in low-power devices, could be exploited.
Spokespeople for AMD and ARM did not immediately return an email for comment.
Microsoft is said to be planning to release patches on its usual Patch Tuesday update schedule, this month slated for January 10. (Windows Insiders on the fast-ring already received the patches in November.)
Apple reportedly patched the flaw in macOS 10.13.2. A spokesperson did not respond to a request for comment.
Patches for Linux systems have been posted privately; although, some developers are said to be frustrated that the comments describing the fix for the open-source software have been redacted to prevent details of the bug from leaking.
Spokespeople for Microsoft and Amazon, when reached, did not immediately comment.
News of the bug first emerged Tuesday when tech site The Register reported that several tech companies are working to fix the vulnerability. On Wednesday, security researcher Erik Bosman tweeted proof-of-concept code.
AMD chips are not affected by the flaw.
The bug was described as early as July by Anders Fogh, whose write-up documented his atempts to read kernel memory from user mode.
The Linux fix will use kernel page table isolation (KPTI) to separate the kernel’s memory from user-level processes. That separation is more time-consuming, making the process and computer slower.
The UK’s National Cyber Security Center said in a statement that there is “no evidence of any malicious exploitation and patches are being produced for the major platforms.”