Intel Says Recently Reported Security Flaw is Overblown (Updated)

Posted on January 3, 2018 by Paul Thurrott in Hardware, Windows 10 with 16 Comments

Intel Says Recently Reported Security Flaw is Overblown

Update: The Verge is reporting that Microsoft is releasing an “emergency” security patch for Windows ahead of Patch Tuesday to fix this issue. That’s not the wording Microsoft uses. –Paul

Update: Intel has downplayed the significance of this flaw (which is actually two flaws). –Paul

Intel has finally responded to widespread reports about an undisclosed security flaw in its processors. The flaw is not relegated to Intel chips and is not as serious as reported, the firm claims.

“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” an Intel statement explains. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

Intel’s statement was forced by what it calls “inaccurate media reports” to discuss the flaw and resulting exploits; it had originally intended to reveal the issue next week when more software and firmware updates will be available.

Presumably, the processor giant is referring to crap like this post from The Register, which claims that Windows and Linux may have to be fundamentally “redesigned” to fix the flaw. But I’ve been told that Microsoft has already fixed Windows: If you’re in the Windows Insider program, you got the fix two builds ago, and mainstream users will be updated next week on Patch Tuesday as scheduled.

Intel’s statement is deliberately vague, but it does provide a few additional details.

First, this flaw does not impact only Intel chips, as has been reported in many places.

“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect,” the Intel statement notes. “Many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits.”

Second, Intel is working with its processor competitors on solutions that will help all of their customers.

“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings, and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the statement notes.

And third, and perhaps most importantly, reports about “30 percent” performance declines after the fix are also erroneous.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

We should know more next week when Windows and other operating systems are patched.


Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (16)

16 responses to “Intel Says Recently Reported Security Flaw is Overblown (Updated)”

  1. PincasX

    FWIW - Apple also appears to also have a fix that is in the upcoming update for MacOS.

  2. skane2600

    If there were really a 30% performance hit, I'd be inclined to take my chances and not install updates. Since I had to drop back to Windows 7, I could avoid them. Hopefully Intel is correct about the performance not being degraded too badly.

    • Waethorn

      In reply to skane2600:

      "Taking your chances" is not a phrase you use with security.

      And no, Intel is not correct. They lied about the impacts, both at a security level, and a performance level.

  3. jimchamplin

    So it’s not an Intel flaw, it’s an inherent issue with out-of-order execution and speculative pipelining? Is that the takeaway here? One of the most important advances in CPU technology is now a liability?

  4. Skolvikings

    I'm not sure who to believe at this point.

  5. jpwalters

    While both extremes of impact here are probably a stretch. I suspect Intel has a vested interest in minimizing the impacts of this and doing some form of damage control. I think we will need to wait and see.

  6. offTheRecord

    “Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings, and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,”

    Whether or not this is an Intel-only issue or impacts all chip vendors (has anyone else besides Intel acknowledged an issue?), I would imagine that every single chip vendor wants to make sure that any mitigation efforts don't adversely impact them relative to their competitors. If it is an Intel-only issue, you can bet Intel doesn't want to be the only vendor to have to take a 5% to 30% performance hit -- and you can bet the others wouldn't want to have Intel's performance hit applied to them unnecessarily.

  7. Sandy

    Talk about weasel words: “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

    Not an explicit denial of the ability for 'unprivileged' code to obtain private kernel data such as encryption keys, and what about possibly virtual machines accessing the virtualisation host hardware's private data?

    Intel saying that at least one chip from another vendor has this vulnerability doesn't mean it isn't a problem, nor does it contradict the AMD engineer's statement that AMD's CPUs don't have this flaw.

    On the performance bit, obviously the impact will be workload-dependent; if you're just doing e-mail & web browsing you're unlikely to notice, but this would appear to have a significant impact on heavily-utilised systems (e.g. database servers and virtualisation hosts).

    • wright_is

      In reply to Sandy:

      And the main use case discussed so far is that it could be used to circumvent KASRL in order to do ROP in Ring 0. That would be a very useful trick for malware writers.

      I'll be interested to see how bad it is, when the details are finally released.

  8. red.radar

    The cloak and daggers describing the "issue" makes me insanely curious to what the technical details are. Something that affects all processors and is based on "software analysis methods"

    Wow seems that the solution will be to remove software or analysis from the computer.

    does this affect android / IOS?

  9. arunphilip

    That said, good to see the software and hardware sides of the industry working together to fix this.

    If only this level of collaboration was the norm...

  10. matsan

    Seems to be urgent enough for AWS to issue the following to their customers:

    We previously advised you of important security and operational updates which will require a reboot of one or more of your Amazon EC2 instances in the EU-WEST-1 Region. Unfortunately, we must accelerate the planned reboot times for these instances given anticipated publication of new research findings.

    The original plan was to reboot before Jan. 15.

  11. Waethorn

    "Meltdown" is the one that affects Intel chips exclusively, and Skylake and newer chips are reportedly not affected. This is the one that's actively being patched right now. Older chips are going to be slowed down worse than newer ones, although it seems the patch affects it based on a percentage of CPU usage which is why Intel is quick to try and deflect blame and talk about "usage scenarios". Sure, you won't notice it as much on a newer i7 than an older Celeron - because they're just faster to begin with.

    "Spectre" is what affects ALL chips, including ARM, and software fixes don't completely plug the hole. Also, this is the one that will affect the performance of all chips and the OS's that run on them, and sets silicon designs back several years.

    Although data can't be modified, it can be easily read and stolen, including passwords before cryptography processes are run on them. It's a major IT security nightmare and will cost billions to resolve and reduces the reputation of major technology companies.

    This is one of the reasons why I always said that it was a bad choice for Microsoft to compromise on kernel protection for antivirus companies back when Vista SP1 came out. They should've hardened it even more IMO.

  12. hrlngrv

    Cynicism, but this may be the sort of thing CEOs and top management down-pedal to prop up share price for a day or an hour to give investors a little time to sell their shares. If the flaws were already public knowledge, then no insider trading.

    Less cynical, Intel senior management at the moment is far more concerned with its shareholders and its exempt employees bonuses than it is about the wellfare of PC users.