Intel denies reports that only its processors are susceptible to exploit
Intel has responded to reports that its processors have had a serious bug for years. According to the company, chips from more manufacturers are vulnerable to exploits and plans to share details with other vendors next week.
Intel claims it feels compelled to come out with a statement now, due to incorrect media reports. The company does not deny that there are vulnerabilities, but they would not be unique to Intel products. “Based on the analysis to date, many types of computing devices, with processors and operating systems from many different vendors, are susceptible to these exploits.”
The chip giant says it is working with software companies, including AMD and ARM, to tackle the problems industry-wide. Intel does not deny that the solution will have an impact on performance, but these would be dependent on workload. “For the average computer user, these are insignificant and it will improve over time.” This leaves open the option that a more serious impact can be expected for providers of cloud services with, for example, virtual machines.
Intel’s statement is in response to claims this week that its processors have a bug that allows access to protected kernel memory. The solution would be a page table isolation patch, but it could degrade performance by 5 to 30 percent, depending on the application. AMD said the attack was not possible on its processors and proposed code to keep AMD processors out of the patch has since been merged, according to security expert Alex Ionescu: “So either AMD is risking the security of millions of Linux systems, or Intel is using creative, but accurate, wording.” The statement would be accurate because AMD also makes ARM chips and indeed ARM64 code is incorporated into the patch.
Intel is not detailing the vulnerability, but it likely has to do with measures to make address space layout randomization more secure. Aslr is designed to prevent an attacker from discovering memory addresses and works by designating random locations in virtual memory where programs can hide important components.
At the beginning of last year, a software security research group at the VU discovered a vulnerability that made it possible to circumvent aslr and that worked on all Intel, AMD and ARM processors they tested. They developed an attack that can be carried out via Javascript code in the browser, for example by using a malicious website. Using this, it would be possible to escape the Javascript sandbox and run code on a victim’s system. At that time, a second bug was needed to be able to speak of an exploit.