Design flaw found in Intel processors, fix could bring substantial performance hit (Updated)

By Dan Thorp-Lancaster
last updated

A security flaw has been found in Intel processors, and the fix could reportedly lead to a substantial slowdown of affected PCs.

The Register reports that a flaw in the design of Intel processors has programmers "scrambling" to redesign Linux and Windows kernels to shut down a potential attack vector that could potentially allow hackers to access passwords, files cached on a disk, and more. What's more, the fixes being worked on could reportedly slow down PCs by anywhere from five to 30 percent.

The bug itself is still under embargo, with specifics set to be released later this month, according to the report. However, some details of the flaw are available. From The Register:

It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.

The fix that is in the works involves separating the kernel's memory from user processes as part of what's called Kernel Page Table Isolation (KPTI). The issue with this approach is that it could reportedly result in the aforementioned performance slowdowns after the kernel has been patched.

It's important to note that AMD says its processors are not impacted by this bug.

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Since the flaw is present across Intel processors going back years, it impacts Linux, Windows, and macOS. For Windows users in particular, however, The Register reports that Microsoft shipped fixes with Windows Insider builds on the Fast ring in November and December, and the company is set to potentially roll out the fix to everyone in an upcoming Patch Tuesday update. While the details of the flaw aren't yet publicly available, we should learn much more once a fix is available.

Updated 4:22 PM ET: Intel has now responded to the issue, stating that the issue is not exclusive to Intel products, and that it is working with other companies across the industry, including AMD and ARM, to address the problem. Further, Intel says that it was planning to disclose the issue next week when "more software and firmware updates will be available." AMD has also confirmed that its chips are affected in some capacity, but claims that there is "near zero risk to AMD processors at this time."

Updated 7:30 PM ET: Researchers have now disclosed two new exploits that impact virtually all modern processors from ARM, Intel, and AMD. Microsoft has also issued an emergency patch for Windows users.

Dan Thorp-Lancaster
Dan Thorp-Lancaster

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

48 Comments
  • Since AMD ryzen came out, I've been taking a serious look at them for my next build. Just one more reason to go that direction. Big reason
  • Same here, my motherboard is hobbling along only realised that fact when I started over clocking my xfx rx 480 and lost 3 i/o ports after a BSOD. I'm waiting for 2nd gen ryzen cpus as by then 1st gen cpu's will pretty darn cheap, will have a lot more information, build choices and ram bundles.
  • Just built my new pc with Ryzen 5 1600 love it
  • Wowsers.  This is, potentially, huge.
  • ""Microsoft shipped fixes with Windows Insider builds on the Fast ring in November """ But why is Microsoft shipping fixes and not intel shipping chips. Halabaloo advert.
    Poor Windows phone is getting isolated.
  • Because it’s easier to fix software than to replace the CPU of a computer.
  • I want a replacement chip.
    I don't run an OS, i use the bios power management to make other devices connected by USB energy efficient
  • I’m sure you can get a new CPU, but it won’t be free.    Also, if you are not running an OS then you have nothing to worry about.  
  • Except the software isn't broken. They are coding the software around potentially huge issues with someone else's hardware.
  • what an amazing logic u have Hiswona. not everything in life is that easy :D
  • Did the fixes in Novembers Fast ring show the performance impact?
  • Day 0 exploit already being used on Macs. Let's count the days before apple or chrome os fixed this. 
  • AMD might not be affected, but since this is rewriting the kernel I doubt they will get a separate kernel, so they might still take a performance hit from the fix
  • "The fix that is in the works involves separating the kernel's memory from user processes as part of what's called Kernel Page Table Isolation (KPTI)" That's incorrect, KPTI is a linux feature. Windows will likley be using the new Kernel ASLR/VA Isolation which is found in 17035 to workaround the Intel flaw.
  • I don't know why this post get 2 vote down. If his comment is incorrect or inacurate, please point out to let him and publish understand, instead of "vote down". I just feel someone abuse the vote system here.
  • Around here if you merely mention the words Linux or Mac the troll fanboys of those platforms, which are in great supply around here, jump in to downvote simply because you dared to say that the problems apply to those platforms in addition to Windows. Even worse, his comment said that Windows was using the new way of doing it, implying that Mac/Linux was using the old way. You can't make it look like Mac/Linux is not doing the latest and greatest. That is one of the greatist sins you can commit.
  • Oh, I thought my response was pretty clear, no idea why it was downvoted.  Linux is using what they've termed KPTI which is an extension to the KAISER patches developed in Austria last year  (https://lwn.net/Articles/740608/). This is what was mentioned in the article, but is _not_ related to Windows. Windows is using what they term KASLR/VA, which was introduced in the preview build 17035 (https://twitter.com/aionescu/status/930412525111296000?lang=en) Both solutions are very similar in that they flush the TLB to provide full kernel isolation, (the kernel address space essentially becomes invisible) and avoid 'leaking' kernel code into user mode
  • Makes me glad that I've been sticking with the AMD chip all these years when I build my PC's.  With the exception of the surface book I just purchased.  If it had an AMD option I would have gotten it.
  • Well, I hope Intel enjoys the upcoming law suits. 'cause they will happen. And it'll be more than justified.
  • And the plaintiffs will get a few bucks while the lawyers walk away with millions.  No thanks.  I want a new processor.
  • @Mandy Fox that's why it 'pays' to read the small print :). The main reason some lawyers get away with that behaviour is that people don't read the contract at all.
  • "while the lawyers walk away with millions"   I surely hope so. It'd be nice for a change. Unfortunately, that's not actually how it works.
  • @DJCBS we're fortunate that common sense is prevailent in Europe when it comes to consumer rights and laws whereas in the US... not so much.
  • @TechFreak1, yep the EU protected all those consumers by forcing Microsoft to pay billions, to ship other browsers with their OS and forcing consumers to make a choice between those browsers, to fine Microsoft even more because that list of browsers was not randomized, and then force Microsoft to ship an OS (and still do ship an OS) without a media player. I tell you, not having a media player sure was protecting the consumer
  • I have a Haswell based Corei7 Macbook Pro with Windows 10 which is all I run. I still consider this to be a pretty fast computer and if they don't fix this without causing me to lose a bunch of performance I will be so pissed. I can tell you I will sign onto every class action lawsuit I can find for all of my computers. I've always been an Intel customer but this is not gonna fly for me.
  • Can't wait for the Intel "it's a feature not a flaw" defense...
  • I'm sure they knew the risk but justified it from performance gains keeping them ahead of amd. If it drops enough and ryzen per core value catches up that's a big win for and. Intel just has to make sure there is no paper trail on leaving this gap in place.
  • Oh ****... 30% hit on performance! Qualcomm MS partnership is increasingly looking good now...
    My poor SP4... :(
  • Oh great, IE and Edge already work at a snail's pace.  I just purchased a new mini desktop a few months ago and can't believe how much slower it is from my 15 year old HP desktop with AMD processor. If my desktop and laptop get any slower I won't get any work done. Too bad I didn't get an AMD to begin with.  I always thought Intel was hugely overrated ever since I purchased a Dell Mini with their Intel Atom processor.  What a  joke that was.
  • Who buys an atom and expects performance? More like Dell is a joke for building such a slow junker, I do not consider Dell a real computer too proprietary.
  • Please take into account that I do not know what I'm talking about. :-) A friend of mine advises against installing Java and Flash. I have not installed Java and haven't run into a situation where I've needed it. I also don't install Flash and have "use Flash" in Edge turned off. Is it Java, specifically in this case, that is the problem, and if so, would not having it installed prevent a system from being able to be affected by this flaw?
  • This is another security flaw as it's nothing related to flash itself but hardware sold by Intel in the last decade. It remains to be seen which / how many processor trees are affected. You're friend is correct in regards to Flash as it has many security issues hence why Apple for example doesn't allow flash to run on ios any more. It's also the reason why you should always update flash frequently if you have it installed.  In regards to Java, that's fine and is widely used however for basic browsing you don't really need it. Regardless you should always have a proper firewall and anti-virus installed, anyone who say's otherwise doesn't really understand the ramifications of zero day exploits. If you need a heavy duty firewall / security suite - checkout F Secure but be weary it is very, very, very resource heavy. Eset is a decent, light weight solution.
  • Nothing to do with Java or Flash. It's a hardware problem. It's a bug/exploit in the physical processor which needs to be patched on the Operating System kernel level.(Since replacing all the physical processors would be an absolute nightmare)
  • Looks like the 30% info may be exaggerated. Thurott and others are saying it's 0.3% average. Could vary. Two tweets that summarise the issue at hand :- 1. 30% was quoted as a synthetic syscall heavy workload. Some published academic workarounds and patch methods give a 0.3% perf hit on average. 2. I'm sure in some specific workload it will happen. The trick is nuance: how do you characterize a bug fix that has a variable impact? Non-techies want a simple explanation to a complex matter. Meanwhile the public is weary of statistics being used to downplay bad things
  • It's probably exagerated for most end users, but in terms of virtualization datacenters like Amazon, Azure, Google, etc... they are where the performance hit will be significant. Which may result in higher costs either because they decide to charge more, or because you require a beefier VM than before for the same performance.
  • I think Microsoft will have to make a patch that separately recognizes AMD and Intel Processors, If they do not it would mean a slowdown to the Xbox One as they share the kernel between the Xbox and PC, and I just don't see Microsoft slowing down the Xbox at this point. 
  • Genius...
  • Hm, glad I bought a Ryzen 5 instead of an i5.
  • I would take anything the register says with a grain of salt.
  • It's also being reported by Reuters, AP, Gizmodo, Fox News, Ars Technica, etc. Choose your biased media of choice. It doesn't change the facts.
  • Yes! My unhealthy obsession with AMD finally pays off!
  • Well my new machine uses a cpu from AMD and it is one of the new ones. Boy I am happy now! But my laptops... ****.....
  • NSA backdoor at exposed
  • Ha!!!💁
  • So glad my desktop computer has a AMD processor. 
  • Intel and their usual bullsh*t, "Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits." What kind of nonsense is that? I hope Intel wake up from their usual bullsh*t! The news sties never report products of other companies having this problem, only the Intel processors and I also pity the Android phone users who have Atom processors in their phones, how they're gonna cope with a very high performance hit considering how open-source Android is.
  • Big deal, there is flaws in everything, Linux has had a hole for 10 years, my I7 beast is not concerned, just wait for the AMD holes to be found. All the Intel and Windows haters gonna be all over this. No one is safe, to think you are is a joke :)
  • Older AMD processors, maybe. But I doubt the Ryzen ones and newer server processors will have such flaws, otherwise AMD wouldn't have made that response. Also, the up to 30% decrease might be the decrease in the processing speed aka max frequency of each core and in the case of the 3rd to current-gen Core i5s and i7s and the recently released i9s, the upcoming Windows Update might disable some cores or threads depending on how much speed is decreased after the update is installed.