A serious vulnerability has been found in nearly all Intel processors developed in the past decade, which will require significant updates to Windows and Linux operating systems.

While the story is still developing - full details of the flaw currently under embargo, as Intel prepares software patches - it is expected to impact chip performance by as much as 30 percent on some tasks.

Intel and the Terrible, Horrible, No Good, Very Bad Day

Intel logo
– Sebastian Moss/DCD

The flaw appears to allow normal user programs to be able to learn some of the layout or contents of protected kernel memory areas. As a fix, the kernel’s memory is being fully separated from user processes, using Kernel Page Table Isolation (KPTI), the Register reports. This, however, increases the kernel’s overhead, slowing the system down - by between five and thirty percent by some estimates, depending on the process and the processor.

Software developer blogging as Python Sweetness said in a post: “There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads.

“There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine.”

Ofri Ziv, VP of research at cyber security firm GuardiCore, echoed the concern and added: “This can easily allow compromise of shared container environments, where multiple tenants share a single operating system kernel.

“In addition, we speculate that in shared virtual environments such as Amazon EC2 and Azure Hyper-V where multiple tenants can co-exist on a single physical machine, any CPU attack that can steal data from kernel memory can help compromise “adjacent” machines.”

Last month, AWS contacted customers to let them know it would conduct “important security and operation updates” on January 5, requiring a reboot of EC2 instances. Some speculate that the maintenance is related to the Intel security flaw. Equally, Microsoft Azure will undergo a sercurity update from January 10, again requiring a VM reboot.

Speaking on Twitter, CEO of cloud provider OVH, Octave Klaba, said: “A huge hardware BUG hit all Intel CPU x86. A software patch for Linux is ready. We are testing it and will start to deploy it in the next hours. Maximum tomorrow, a new kernel will be proposed for all customers VPS, PCI, Baremetal. We will upgrade all the images for Public Cloud, Private Cloud, VPS.

“We will need to restart all the hosts Public Cloud/VPS. We want to start it on Saturday, with minimum of impact for the customers. We are looking for the best scenario.

“All the hosts Shared Hosting will be upgraded with no downtime.”

Rival CPU maker AMD, meanwhile, was quick to capitalize on the news. The company said: “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

Shares in the smaller company jumped six percent as the news of the flaw broke.