What You Need to Know About the Major Flaws Affecting PCs and Smartphones In a statement, Intel said the problem isn't unique to Intel products and denied that it would drag down performance for the average computer user.
This story originally appeared on PCMag
Over the next few weeks there's a very good chance your PC or laptop will take a significant performance hit, possibly up to 30 percent slower. Worse is the fact you can do nothing about it, as the slowdown is a side effect of fixing a major design flaw in Intel processors.
If your computer uses an Intel processor produced in the last decade, it probably contains the design flaw. Intel has not yet released a list of affected chips; it's keeping the details under lock and key until operating system patches have been released for Linux, Windows and macOS.
As The Register reports, the flaw is thought to allow user programs to gain access to protected kernel memory areas. The kernel is the core of an operating system and controls anything and everything running on it. It is therefore extremely important the kernel memory remains secure due to the sensitive information it can contain.
Although nobody outside of Intel knows the specifics, the flaw is thought to be so serious it could allow any software, even a bit of JavaScript running in a web browser, to access and steal data stored in the protected kernel memory. So that includes your passwords, login keys or any files that happen to be cached when unauthorized access occurs.
The vulnerability alone is bad enough, but the fix makes the situation even worse. Closing the security hole will result in a significant performance hit to each system. Current estimates suggest that hit could be as high as 30 percent. You read that right, once your system is patched it may run 30 percent slower for certain tasks.
There is no way around this if your system uses an Intel chip. Some newer processor models are thought to be immune, or at least better able to work around the flaw, but until Intel releases specifics we can't confirm which ones. If you are running an AMD processor, you're fine. AMD confirmed its processors are not vulnerable.
Linux kernel patches are already available, with Microsoft expected to roll out the Windows patch with next week's Patch Tuesday. Also keep in mind this flaw will impact all of Intel's major corporate customers. Imagine how many Intel chips are running inside Amazon's or Facebook's datacenters, for example, and what a performance hit will mean for them.
UPDATE: In a statement, Intel said the upcoming fix shouldn't drag down performance for the average computer user.
"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company insisted.
The chip maker didn't go into detail about the exact problem, but suggested Intel products aren't the only ones affected. "Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits," it said.
Furthermore, "Intel believes these exploits do not have the potential to corrupt, modify or delete data."
The company originally decided to disclose the bug next week, but opted to release a statement on Wednesday to address what it considered to be inaccurate media reports. It's now delivering the software and firmware fixes to its partners.
"Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available," Intel said.
UPDATE 2: The Intel flaw involves two vulnerabilities that can be used to steal your passwords, emails and any other sensitive data you have on your computer, according to the security researchers who uncovered the bugs.
Intel also isn't the only vendor affected. One vulnerabilty, named Spectre, was found in AMD and ARM-based chips, too. The other vulnerability, dubbed Meltdown, was found mostly in Intel processors as far back as 1995; it's unclear whether AMD or ARM-based chips have the same problem.
Both bugs can essentially help malware grab data stored in sensitive programs, including a password manager or browser. "While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs," the researchers wrote.
Desktops, laptops, cloud servers, and smartphones are affected by one or both vulnerabilities, the researchers warn. Attacks that exploit the two vulnerabilities are also difficult to detect and don't leave any traces.
The risk is especially severe for cloud computing providers, which lease their servers to different clients. Both Meltdown and Spectre can essentially erode the boundaries in a machine that seperate one client's data from another.
The public can find more details about the vulnerabilities on a new website the researchers created detailing the issue.
Android devices with the latest security update from Jan. 2018 are protected from the vulnerabilities, Google wrote in a blog post.
As for Microsoft, it's been rolling out a patch for Windows PCs that should arrive on Wednesday.
Unfortunately, the Microsoft fix may result in some performance dips. "For most consumer devices, the impact may not be noticeable, however, the specific impact varies by hardware generation and implementation by the chip manufacturer," the company said.
Despite the patching, the security researchers say the Spectre security flaw, although harder to exploit, is also more difficult to fully patch. Software-based solutions can act as a stop-gap measure against the threat, but until vendors update their chip designs, Spectre will remain a problem.
