We are seeing reports that indicate Intel processors from the last 10 years suffer from a severe chip-level security bug that The Register reports the fix must be undertaken at the OS level, and even when the fix is available, a performance hit is expected, and this affects both Windows and macOS as well as Linux operating systems and it affects Intel, AMD and ARM processors.
Unfortunately, not a huge amount is known about this bug and this isn't being helped as Intel has put an embargo until later in the month. The Register has unearthed some data and it seems the bug allows normal user programs to see some of the contents of the protected kernel memory.
From what we have been able to establish the malicious software could potentially read the contents of the kernel memory, which can include information like passwords, login keys, and more. It would appear that in order to fix the bug, the kernel's memory needs to be isolated from user processes which could cause a performance hit of between 5 to 30 percent slowdown once the fix is in place.
Update - Apple And Windows Announce Fixes
Apple has made this announcement...
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.
You can read more on the Apple Support website. However as the macOS 10.13.2 release has been out for a while now it would appear that Apple's fix hasn't had a serious impact on performance.
Apple is normally fairly tight-lipped about the details of security updates but they have released this article About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan to explain more about what is in the recent security updates. So it would seem Apple have resolved 'Meltdown' issue before it became public, with a fix for 'Spectre' in the works.
We also understand that Microsoft has already released fixes for many of its services as well as an article ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities advising what action to take.
Other Services Affected Too
This flaw will also have an impact on cloud computing too because so many computers use Intel processors. We understand that there are hints the flaw impacts services like Amazon EC2 and Google Compute Engine. Apparently both Microsoft Azure and Amazon Web Services have scheduled maintenance due to take place over the next week, although there is no detailed explanation for the downtime, speculation suggests that the maintenance could be to put the software fixes in place for this specific Intel CPU hardware bug.
There is a lot more detail on this story on The Register site.
Update - AMD And ARM Processors Found To Be Affected Too
If you use an AMD processor-powered computer then there appeared to be some good news, according to AMD their processors aren't affected by the bug. Thomas Lendacky from AMD posted this...
AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.
However, it would now appear that AMD is trying to put a gloss on the situation. According to another article on The Register website, it's not just Intel that is affected, ARM and AMD processors are affected too all be it in varying degrees. AMD continues to insist that there is a "near-zero" risk, however, The Register is saying that AMD chips can be attacked in some scenarios, with its CPUs vulnerable in others.
ARM has produced a list of its affected cores, which are typically found in smartphones, tablets and similar handheld gadgets with links to workaround patches for Linux-based systems but there is still nothing from Intel.
This is turning out to be what some are describing as a "mega-gaffe by the semiconductor industry". It would seem as they raced to make their processors faster and faster they compromised security.
You can read more on this on The Register website.