Billions of Intel CPUs are leaking passwords.

New Downfall vulnerability targets the Gather Instruction in Intel chips,

A scary vulnerability has recently been discovered in some Intel processors, and while the best CPUs are not affected, billions of chips could be. According to the researcher who first spotted the Downfall vulnerability, “everyone on the internet is affected.” This is made worse by the fact that a skilled hacker could steal some of the most sensitive data from affected computers, including passwords.

Downfall was discovered by a senior research scientist from Google, Daniel Moghami, who created a page dedicated to it, detailing how it works and what it can possibly do. Downfall targets the Gather Instruction in Intel chips, which normally helps the CPU quickly access various data spread all over different parts of its memory. However, with the flaw, internal hardware registers can be exposed to software. If the software is compromised, it’s possible that hackers could seize sensitive data from the PC.

The affected CPUs all belong to Intel’s mainstream and server processor lineups, starting from Skylake all the way up to Rocket Lake. This means that, unless you’ve upgraded your CPU in the last few years, you’re definitely affected, but you can check out Intel’s full list of chips that are vulnerable.

As Moghami notes, you don’t even need to own an Intel processor to potentially be affected. As Intel dominates the server market, cloud computing environments might be hit by this as well, where “malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer,” says Moghami.

While pulling off an actual hack with Downfall seems tricky, there’s a lot at stake, which is why Intel has already released a fix — but the downside is a massive performance loss. Intel was quick to say it wouldd be releasing new microcode for the chips that are affected, and it recommended that users update their firmware to prevent being affected by Downfall. It’s here now, but as noted by Phoronix, the price to pay for not having your password leaked is massive.

Intel itself estimated a performance loss of up to 50%, with AVX instructions most affected. The good news is that for most users, this won’t be an issue, but the bad news is that AI-related workloads and overall high-performance computing (HPC) tasks are hit pretty hard.

Phoronix tested the impact on Linux with four different CPUs, including a Xeon Platinum 8380, Xeon Gold 6226R, and an Intel Core i7-1165G7. Performance losses range from 6% up to 39%, which, while not as bad as Intel predicted, is still not great.

You don’t need to update your processor if you’re not worried about being affected by Downfall. While Moghami recommends it, Intel itself allows users to opt out of the extra mitigation in order to restore the full performance of their CPU. If you’re not using your PC for HPC tasks, it sounds like you might as well keep the mitigation on, but Intel has detailed the process of turning it off on their website, if you’d rather get rid of it.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html