Intel says it was going to notify users of a serious design flaw which opens up security vulnerabilities in their CPUs next week, when additional software patches would be available, but was forced to acknowledge the issue when “inaccurate media reports” were released.
Intel claims the issue is not limited to its chips, and that the exploits in question do not have the potential to corrupt, modify, or delete data.
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
The company says it is working with other companies, including AMD and ARM Holdings, to develop an approach to resolve the problem. The company also claims that reports that any fix for the problem could cause a 5 to 30% slowdown on affected machines are inaccurate.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Apple has already at least partially addressed the design flaw in the macOS 10.13.2 update which was released to the public on December 6.
Security researchers have shared details about “Meltdown” and “Spectre” the two separate critical vulnerabilities which impact most Intel processors and some ARM CPUs. The vulnerabilities allow hackers to access data from memory related to running applications, which could allow access to passwords, emails, documents, and more.
The researchers who discovered the vulnerabilities, dubbed “Meltdown” and “Spectre,” said that “almost every system,” since 1995, including computers and phones, is affected by the bug. The researchers verified their findings on Intel chips dating back to 2011, and released their own proof-of-concept code to allow users to test their machines.
“An attacker might be able to steal any data on the system,” said Daniel Gruss, a security researcher who discovered the Meltdown bug, in an email to ZDNet.
“Meltdown is not only limited to reading kernel memory but it is capable of reading the entire physical memory of the target machine,” according to the paper accompanying the research.
ARM and AMD have both issued statements about the issue, with AMD saying there is a “near zero risk” to its processors at this time, while ARM admits its processors are vulnerable.