Intel Says Recently Reported Security Flaw is Overblown (Updated)

Intel Says Recently Reported Security Flaw is Overblown

Update: The Verge is reporting that Microsoft is releasing an “emergency” security patch for Windows ahead of Patch Tuesday to fix this issue. That’s not the wording Microsoft uses. –Paul

Update: Intel has downplayed the significance of this flaw (which is actually two flaws). –Paul

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Intel has finally responded to widespread reports about an undisclosed security flaw in its processors. The flaw is not relegated to Intel chips and is not as serious as reported, the firm claims.

“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” an Intel statement explains. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

Intel’s statement was forced by what it calls “inaccurate media reports” to discuss the flaw and resulting exploits; it had originally intended to reveal the issue next week when more software and firmware updates will be available.

Presumably, the processor giant is referring to crap like this post from The Register, which claims that Windows and Linux may have to be fundamentally “redesigned” to fix the flaw. But I’ve been told that Microsoft has already fixed Windows: If you’re in the Windows Insider program, you got the fix two builds ago, and mainstream users will be updated next week on Patch Tuesday as scheduled.

Intel’s statement is deliberately vague, but it does provide a few additional details.

First, this flaw does not impact only Intel chips, as has been reported in many places.

“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect,” the Intel statement notes. “Many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits.”

Second, Intel is working with its processor competitors on solutions that will help all of their customers.

“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings, and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the statement notes.

And third, and perhaps most importantly, reports about “30 percent” performance declines after the fix are also erroneous.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

We should know more next week when Windows and other operating systems are patched.

 

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 16 comments

  • PincasX

    03 January, 2018 - 4:34 pm

    <p>FWIW – Apple also appears to also have a fix that is in the upcoming update for MacOS. </p>

  • skane2600

    03 January, 2018 - 4:35 pm

    <p>If there were really a 30% performance hit, I'd be inclined to take my chances and not install updates. Since I had to drop back to Windows 7, I could avoid them. Hopefully Intel is correct about the performance not being degraded too badly.</p>

    • Waethorn

      04 January, 2018 - 10:28 am

      <blockquote><a href="#234872"><em>In reply to skane2600:</em></a></blockquote><p>"Taking your chances" is not a phrase you use with security.</p><p><br></p><p>And no, Intel is not correct. They lied about the impacts, both at a security level, and a performance level.</p>

  • jimchamplin

    Premium Member
    03 January, 2018 - 4:39 pm

    <p>So it’s not an Intel flaw, it’s an inherent issue with out-of-order execution and speculative pipelining? <em>Is that the takeaway here? </em>One of the most important advances in CPU technology is now a liability?</p>

  • Skolvikings

    03 January, 2018 - 4:55 pm

    <p>I'm not sure who to believe at this point.</p>

    • lvthunder

      Premium Member
      03 January, 2018 - 6:19 pm

      <blockquote><a href="#234875"><em>In reply to Skolvikings:</em></a></blockquote><p>Don't believe anyone until more information is available.</p>

    • hrlngrv

      Premium Member
      04 January, 2018 - 5:13 pm

      <p><a href="#234875"><em>In reply to Skolvikings:</em></a></p><p>I figure it's fairly safe NOT to believe in full anything Intel says. OTOH, too early to go into Y2K-like panic mode.</p>

  • jpwalters

    Premium Member
    03 January, 2018 - 6:00 pm

    <p>While both extremes of impact here are probably a stretch. I suspect Intel has a vested interest in minimizing the impacts of this and doing some form of damage control. I think we will need to wait and see.</p>

  • offTheRecord

    03 January, 2018 - 6:07 pm

    <p><span style="color: rgb(0, 0, 0);">“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings, and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,”</span></p><p><br></p><p><span style="color: rgb(0, 0, 0);">Whether or not this is an Intel-only issue or impacts all chip vendors (has anyone else besides Intel acknowledged an issue?), I would imagine that every single chip vendor wants to make sure that any mitigation efforts don't adversely impact them relative to their competitors. If it is an Intel-only issue, you can bet Intel doesn't want to be the only vendor to have to take a 5% to 30% performance hit — and you can bet the others wouldn't want to have Intel's performance hit applied to them unnecessarily.</span></p>

  • Sandy

    03 January, 2018 - 7:03 pm

    <p>Talk about weasel words: “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”</p><p><br></p><p>Not an explicit denial of the ability for 'unprivileged' code to obtain private kernel data such as encryption keys, and what about possibly virtual machines accessing the virtualisation host hardware's private data?</p><p><br></p><p>Intel saying that at least one chip from another vendor has this vulnerability doesn't mean it isn't a problem, nor does it contradict the AMD engineer's statement that AMD's CPUs don't have this flaw.</p><p><br></p><p>On the performance bit, obviously the impact will be workload-dependent; if you're just doing e-mail &amp; web browsing you're unlikely to notice, but this would appear to have a significant impact on heavily-utilised systems (e.g. database servers and virtualisation hosts).</p>

    • wright_is

      Premium Member
      04 January, 2018 - 2:48 am

      <blockquote><a href="#234884"><em>In reply to Sandy:</em></a></blockquote><p>And the main use case discussed so far is that it could be used to circumvent KASRL in order to do ROP in Ring 0. That would be a very useful trick for malware writers.</p><p>I'll be interested to see how bad it is, when the details are finally released.</p>

  • red.radar

    Premium Member
    03 January, 2018 - 7:34 pm

    <p>The cloak and daggers describing the "issue" makes me insanely curious to what the technical details are. Something that affects all processors and is based on "software analysis methods" </p><p><br></p><p>Wow seems that the solution will be to remove software or analysis from the computer. </p><p><br></p><p>does this affect android / IOS?</p><p><br></p><p><br></p>

  • arunphilip

    03 January, 2018 - 10:59 pm

    <p>That said, good to see the software and hardware sides of the industry working together to fix this. </p><p><br></p><p>If only this level of collaboration was the norm… </p>

  • matsan

    04 January, 2018 - 12:36 am

    <p>Seems to be urgent enough for AWS to issue the following to their customers:</p><p class="ql-indent-1"><em>We previously advised you of important security and operational updates which will require a reboot of one or more of your Amazon EC2 instances in the EU-WEST-1 Region. Unfortunately, we must accelerate the planned reboot times for these instances given anticipated publication of new research findings.</em></p><p>The original plan was to reboot before Jan. 15.</p>

  • Waethorn

    04 January, 2018 - 9:31 am

    <p>"Meltdown" is the one that affects Intel chips exclusively, and Skylake and newer chips are reportedly not affected. This is the one that's actively being patched right now. Older chips are going to be slowed down worse than newer ones, although it seems the patch affects it based on a percentage of CPU usage which is why Intel is quick to try and deflect blame and talk about "usage scenarios". Sure, you won't notice it as much on a newer i7 than an older Celeron – because they're just faster to begin with.</p><p><br></p><p>"Spectre" is what affects ALL chips, including ARM, and software fixes don't completely plug the hole. Also, this is the one that will affect the performance of all chips and the OS's that run on them, and sets silicon designs back several years.</p><p><br></p><p>Although data can't be modified, it can be easily read and stolen, including passwords before cryptography processes are run on them. It's a major IT security nightmare and will cost billions to resolve and reduces the reputation of major technology companies.</p><p><br></p><p>This is one of the reasons why I always said that it was a bad choice for Microsoft to compromise on kernel protection for antivirus companies back when Vista SP1 came out. They should've hardened it even more IMO.</p>

  • hrlngrv

    Premium Member
    04 January, 2018 - 5:09 pm

    <p>Cynicism, but this may be the sort of thing CEOs and top management down-pedal to prop up share price for a day or an hour to give investors a little time to sell their shares. If the flaws were already public knowledge, then no insider trading.</p><p>Less cynical, Intel senior management at the moment is far more concerned with its shareholders and its exempt employees bonuses than it is about the wellfare of PC users.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC