Gillware's "A Christmas Carol"
Gillware’s “A Christmas Carol,” Part Five: The Spirit of Backup
December 29, 2017
National Cheese Lover's Month
Your Backup is Swiss Cheese
January 19, 2018

Intel Processor Security Issue – What You Need To Know

UPDATE 1/8/2018: Intel claims that patches for Meltdown and Spectre will be coming to 90% of CPUs in the coming week. CPU performance impacts to single users have been minor at worst so far, although some cloud providers have experienced troubles with their services and pointed fingers at the bug.

UPDATE 1/4/2018: Earlier impressions were that only Intel processors suffer from a bug rendering bad actors capable of accessing sensitive information, now known as "Meltdown." Reuters is now reporting that a similar hardware issue known as "Spectre" affects both AMD and ARM CPUs, effectively putting virtually all computers and mobile devices at risk.

Summary on the Intel Processor Security Issue

  • New hardware security flaw discovered in last decade of Intel processors
  • Passwords & other sensitive data could be available to hackers
  • Patches available on Linux: forthcoming on Mac and PC
  • Up to 30% decrease in processor performance after patch
Read on for more info
'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign,” writes John Leyden and Chris Williams for The Register, a UK IT news website. “A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.”

A Total Meltdown, In Layman’s Terms

A hardware flaw has been discovered in all Intel processors produced in the past decade. That’s every computer with an Intel CPU you’ve bought since 2008! In layman’s terms, the flaw allows even in-browser Javascript or some other nefarious code on the user privilege level to execute arbitrary code on the kernel level.
The actual details of this bug are quickly becoming more well-known after The Register's reporting spurred awareness. The bug is known as "Meltdown."

Intel CPUs have been using a special trick to jump back and forth between this machine code and user-level commands quickly enough to keep up the pace with the user’s demands. Unfortunately, this shortcut also leaves the door open for just long enough for a sufficiently-determined someone or something to sneak through, sift through the kernel memory, or even execute arbitrary code on the kernel level.

The Lord of the Rings

The deepest, highest-privileged, and most-private section of your computer is the kernel. To you, the user, the kernel is akin to a god, invisible and omnipotent as it looks down on you and answers your prayers. You can go through your life using your computer without caring so much that the kernel exists, but its existence ties the universe together.

The most devastating security holes in computer systems take this invisible and distant god and drag it down to earth. It’s just like the classic Joan Osborne song that asks “What if God was one of us…” only significantly more frightening.

Your computer’s ecosystem is divided into tiers of privilege known as “Rings.” The lower the ring, the higher the privilege. The kernel lives on Ring 0; you, the humble user, live on Ring 3. Ring 0 is the Asgard to your Midgard.

Learn more about user and kernel mode
Transitioning from kernel mode (working in Ring 0) to user mode (working in Ring 3) takes effort. To boost performance, Intel came up with a way to jump between the two. However, this method exposes the kernel’s memory space to user code. Within that memory space one may find:
  • Passwords
  • Login keys
  • Cached files
As well as other potentially-sensitive data. This data could be mined by malware and used to further compromise your system.

Thunder Strikes Twice

We’ve talked in October 2017 about how hardware flaws can let intruders sneak into lower rings and compromise systems in our blog post on the Thunderstrike exploit which affected Mac computers. In the case of Thunderstrike, a flaw potentially allowed access to rings even lower than Ring 0.

This Intel bug, now known as Meltdown, is probably bigger and more worthy of your concern than Thunderstrike.

Your system is more likely to be compromised. Between Meltdown and Spectre virtually all Intel and AMD processors, along with a small but significant subset of ARM processors, can fall victim to these cache-timing side-channel exploits.

And that includes the big names, not just home users. Even platforms such as Amazon EC2, Microsoft Azure, and Google Compute Engine will feel the impact.

A Painful Patch

The only fix for the bug is a more solid wall between the kernel and the user space… which prevents Intel CPUs from switching rapidly between the two rings. Patches for Windows, Mac, and Linux kernels will close the backdoor Intel CPUs have been using. Unfortunately, by cutting off the CPU from its handy shortcut, the processor’s performance suffers. Any Intel processor produced in the past decade could potentially see a performance reduction of anywhere from five to thirty percent depending on the specific model of processor. Linux users who have already patched their systems have documented these performance hits. However, the most recent updates for macOS Sierra and High Sierra do not seem to have noticeably affected CPU performance, and Intel is downplaying the effect of patches on CPU performance.

Imagine what a performance decrease of up to 30 percent could mean for large data centers such as those owned by Amazon or Facebook.

“If the cure sounds worse than the disease, remember that a slower, secure platform is far better than a faster, insecure platform.”
Nathan Little - Gillware Digital Forensics


This small patch, to the Linux Kernel, is the most epic burn on @Intel by @AMD.  Paraphrased in English:

Tech journalist Bryan Lunduke finds what could be a dig at Intel in a recent Linux kernel patch

Microsoft and Apple have yet to release kernel patches to resolve this issue, but they could come very soon. If you are a Mac or PC user, the next automatic update will likely include these kernel patches, so be sure not to sleep on them (I know how we all like to put off updates until they’re more convenient).

Linux users will have to do a bit more legwork to update their kernels, but fortunately, kernel patches for distributions of Linux already exist and can be implemented now.
Intel itself identified a similar vulnerability earlier in 2017 and produced a patch for affected CPU models in November. In a worst-case scenario, this bug could allow somebody to “load and execute arbitrary code outside the visibility of the user and operating system.” If you use any of the identified models of Intel CPU, make sure you have updated its firmware.

While this bug, now known as "Meltdown," only affects Intel processors, a similar vulnerability dubbed "Spectre" affects Intel, AMD, and ARM processors, effectively putting every computer and mobile device at risk. Spectre is a result of modern CPU architecture and will be much harder to patch than Meltdown, although it is also more difficult to take advantage of than Meltdown.


Gillware will keep an eye out for future fixes to Meltdown and update this post when more information becomes available.

UPDATE 1-4-2018:

Meltdown and Spectre together affect virtually all modern processors and computing devices.

WINDOWS USERS: If your PC contains certain models of AMD processor, Microsoft's latest security update may cause it to stop booting. A new patch will be available soon.

MAC USERS: The latest updates to Sierra and High Sierra will protect you from Meltdown. Install the updates as soon as you have the opportunity. So far the patch seems to avoid any significant performance hits.

LINUX USERS: Instructions on applying a kernel patch are available here.

For more information on Spectre and Meltdown, visit MeltdownAttack

Will Ascenzo
Will Ascenzo
Will is the lead blogger, copywriter, and copy editor for Gillware Data Recovery and Forensics, and a staunch advocate against the abuse of innocent semicolons.
//]]>