Gossip started to twirl in the last few days about what was driving both Azure and AWS to push out updates at relatively short notice. And news leaked over the last day that Intel has discovered a significant security flaw in the code of nearly all (or all) Intel processors manufactured in the last decade.
Intel has issued an embargo to partners on sharing the news while fixes are being produced, but the news has leaked, and it affects everything using Intel’s processors: Windows, MacOS, Linux, AWS, Azure, and probably VMware too. It sounds like the error is a hardware error that cannot be fixed using a microcode update by Intel. This means that the hypervisors and operating systems on top of the processors must bypass the flaw in the processor. And here’s where the bad news is.
We can expect Microsoft to issue a security fix very quickly. According to Gizmodo, a redacted form of the fix appeared in the Linux kernel recently. But the fix will bypass the flaw which resides in a performance feature of the processor. My limited understanding is that the feature helps make the switch between user mode and kernel mode less disruptive by tweaking the handling of secure kernel memory. The flaw makes it possible for processes in user mode to scan kernel memory. To bypass this feature, the performance enhancement has to be bypassed, and this could cause anywhere between a “5 and 30 percent” performance hit, according to several news sites, but I don’t know how reliable that number is.
Typical end users won’t notice this. But heavily loaded systems will notice. So if your CPU is heavily used, you can expect that the security fix will cause you problems.
The timing of this flaw/fix and the timing of Azure’s and AWS’s updates cannot be a coincidence.