Intel Misled Industry on Security Vulnerabilities

Posted on January 4, 2018 by Paul Thurrott in Hardware with 39 Comments

Intel Misled Industry on Security Vulnerabilities

Caught in the center of a security vulnerability storm, Intel has done the unthinkable and understated the severity of the problems.

Yes, there is a lot of blame to go around here.

It was wrong for The Register (no link, deliberate) to publish information about these CPU flaws before the industry could issue all of the fixes it was readying, for example.

And it was dumb of AMD to brag—literally—that it saw almost no impact from these flaws in its own chipsets.

But if I were to point the finger of blame at one company here, and I will, it would have to be Intel. The microprocessor giant has behaved in an irresponsible manner that is just hard to explain.

Consider just three of the quotes from the microprocessor’s statement, which I reported on yesterday. Each of these claims is technically true to some degree. But oh so wrong in all the ways that are important.

“Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

Intel probably does believe that. But the firm left out the most important bit: Exploits based on the revealed flaws have the ability to steal your data. And this can happen in cloud-based servers, which makes the flaws particularly dangerous.

“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect.”

It’s unclear why Intel put quotes around the words “bug” and “flaw” since there are in fact two bugs—or flaws—in all of its microprocessors. Are they unique to Intel chips? No. But Intel is hit the hardest here, because it has the most affected microprocessors still in use in the market, in particular in server and cloud workloads. And there is no fix for one of the flaws.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Put simply, the fixes that are required will impact the performance of the CPU and thus the system of which it is part. And there is an evolving understanding of what this impact will be across those workloads, yes. So while it is probably fair to say that the performance impact on end-user PCs will be “not significant,” this comment neatly leaves out the most important bit. The performance impact to Linux-based servers—which power about 30 percent of the Internet—could be as high as 30 percent.

Put simply, each of these statements is irresponsible. And Intel needs to be held accountable for this misinformation.

 

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (41)

41 responses to “Intel Misled Industry on Security Vulnerabilities”

  1. Avatar

    RobertJasiek

    It is hard to buy hardware nowadays. Security flaws are in the CPUs, firmwares, drivers, certificates, software tools and peripherals. We may guess that there could also be backdoors in or to encryption on behalf of secret services. Easily restricted malware-software pales in comparison.

    • Avatar

      Pbike908

      In reply to RobertJasiek:

      Yeah, folks just have to realize that there is no such thing as hack proof hardware or software. It's all about what risk level can one tolerate. The real danger is if someone ever figures out away to crash the world financial market, take out a power grid for an extended period of time, cause a nuclear plant to melt down, or something catastrophic like that. Hard to tell what to make of it, as I don't see the world putting the tech genie back into the bottle....

    • Avatar

      John Scott

      In reply to RobertJasiek: Too many possible exploits to claim the sky is falling over one. Yes I think considering the rest of the exploits out there that actually exist where nobody has yet to craft anything for Meltdown or Spectre is being too focused on the what if's and less about what is already out there. Intel is no more responsible for providing a perfect CPU then Microsoft a perfect Windows OS. All the talk about Intel liable for these issues are dreaming. Don't see proof of these patches slowing PC's, and yet to see proof Intel knew of this issue any sooner then last Summer. Hardly enough lead time to fix chips already developed. Personally I have yet to experience any issues with the patches on any of my PC's. Which I run Broadwell, Hazwell, and Kaby Lake CPU's. They all seem just the same as always with patches. This all appears to be over hyped for the threat it poises so far.


  2. Avatar

    brettscoast

    Good post Paul


    As they are the biggest chipmaker in the world by a large margin yes indeed they should be held to account for disingenuous or misleading statements about the impacts of their hardware on consumers across a broad spectrum and the blame as yourself and others have validly pointed out lays squarely at their feet.

  3. Avatar

    chump2010

    So when do you apologise Paul for backing Intel - by saying that they were playing it down and its nothing to see here just yesterday.


    You did not have the facts, but you quoted them like they were facts. You gave a quote from Intel, then interpreted it and backed it.


    For instance:


    And third, and perhaps most importantly, reports about “30 percent” performance declines after the fix are also erroneous.


    “Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”



    You did not say Intel believe or some such, you were giving your own take on it like it was fact. At the moment nothing is fact. At most you should have quoted a statement from Intel, and not said anything more. By saying something more, you give the impression like you know more. When in fact you don't - which makes you just as irresponsible as The Register.



    By the way, the fact that Microsoft had the patches ready, all ready to go, clearly makes me think they did not think it was such a serious flaw. They have done many critical out of date patches, but on this one, they did not think it was worthwhile. Except for Windows 10 of course which had their patches released today.


  4. Avatar

    nbplopes

    This is a complex issue that cannot be seen like this IMHO.


    1) There are two new found classes of "flaws" or "bugs". Take note that security flaws and bugs are found regularly either on software or on the hardware. Usually there is a software fix for that. Within this I cannot fault Intel on this, its part if the software / hardware economics.


    2) The two identified bugs are not the same. One its specific to Intel CPUs, the easier one to hack and to fix, and the other its not only pertaining Intel, it affects AMD and ARM based CPU's. Its a harder to exploit yet its also harder to fix. It seams that this second bug is not fixable entirely buy software only, that its the impression I got.


    Either bugs / flaws is of course the responsibility of the manufacturers to fix. So it is the responsibility of Intel, AMD and ARM. Of course, it is also the responsibility of whoever sells devices and operating systems built on top of these products. So its a problem that needs to be fixed collectively by these companies.


    Cannot fault Intel or anyone for that. These things happen, they are kind of inevitable.


    3) Considering that to secure any current systems against the bug found it can only be done with software, of course there will be a performance penalty. Much like any security measure done in software. People have been using software for years to protect their systems, especially on Windows machines, this is one more that needs to be done with software.


    What makes these flaws / bugs different from others is the performance impact of the fix is known (while any other aren't) and its is reported that it can slash up to 30% of available performance, that could be used for software tasks. Its not certain that this is regarding both fixes, one or the other.


    This is a rather big issue. But it will be really hard to pinpoint absolute fault considering the above.


    4) Another consideration with far more damaging political issues than the ones of impaired usability, is that as it seams all companies are not defining these as bugs or flaws. They are arguing that this is by design! In which case, it begs the question: Is it designed backdoor to sensitive data?


    Paul, I'm sorry, blaming Intel its a way out too easy really. Because at least one of these bugs / flaws is there since 1995 and back than most there was something called Wintel. Meaning that Intel main designed CPU's to run Windows, not by accident of course.


    I would prefer to be admitted that its a bug / fault in the design, an accidental fault, aka bug rather then the option.


    It will be fun to watch how this thing rolls out.


    5) It seams that every time you read some blog post about a new security flaw before fixes are put available full grade you think its irresponsible. Even if it comes out a few days before the supposed fixes. Probably in a blog post you can explain fully your reasons. Although I understand your point of view, just note that ignorance is not always bliss.


    Cheers.

  5. Avatar

    edboyhan

    IMO, it's premature to be commenting over much on these vulnerabilities. We need more information, and some "realistic" benchmarks to assess the impact of the mitigations. In a month or two we'll have a better understanding of what this all means. I feel like everyone is running around like chicken little.

  6. Avatar

    offTheRecord

    "It was wrong for The Register (no link, deliberate) to publish information about these CPU flaws before the industry could issue all of the fixes it was readying, for example."


    I would think 6 months, as it turns out, would have been plenty of time for most companies to get their acts together. So even if The Register had found out about it the day before they published the info, one could argue the industry had already had plenty of time. In fact, apparently some OS patches had started rolling out more than a month ago.


    Having said that, how long is long enough? Waiting for "all of the fixes" clearly isn't a reasonable expectation. Some fixes will never come. Does anyone really think that "the industry" is going to release fixes for all affected components, no matter how old, even if given years to address it? I highly doubt Samsung or LG or whoever is going to rush out fixes for devices that are more than a few years old -- even for former top of the line devices, like Samsung's Note 3s and 4s that are still plenty powerful even today, let alone its older A and J series phones.


    But, who knows? Maybe Qualcomm will actually address the issue with the Snapdragon line and my unusable bootlooping Nexus 5X (that was working great right up to the instant it started bootlooping) will get a new lease on life. Wishful thinking, I know.

  7. Avatar

    Waethorn

    Years ago when Intel bought McAfee, they said they wanted to run a form of McAfee AV engine directly on their future, "programmable" SoC's (before SoC's were even something they produced).


  8. Avatar

    warpedgeoid

    In what would do you live where Linux is only 30% of the Internet server market?

    • Avatar

      Tony Barrett

      In reply to warpedgeoid:

      Agreed. I don't know any sane sysadmin who'd put in an Internet facing Windows server - for anything. Linux is quicker, more secure, smaller footprint and more reliable. Period.

      • Avatar

        Paul Thurrott

        In reply to ghostrider:

        Thanks for the commentary, guys. This is what matters.

        • Avatar

          Chris Payne

          In reply to paul-thurrott:

          This comment bothers me. He was asking about numbers you cite in your written article, and you snark him for it?

          • Avatar

            Roger Ramjet

            In reply to unkinected:

            No, he wasn't asking about numbers, he was being snarky. And the next guy built on it with his no mas Microsoft village idiot routine. Not sure why you would be oh, so surprised by repercussions.

            And in fact many widely differing numbers are cited online around server OS shares, some are around a third for Linux. The poster could have done quick research if this was really of interest.

            • Avatar

              hrlngrv

              In reply to Roger Ramjet:

              If you mean w3techs.com, they show 'Unix' as having 66.9% (so just more than 2/3), and if you click on Unix it takes you to a breakdown which shows Linux as 55.2% of the Unix category, so more than 1/3, specifically 36.9%. That dismisses the 43.8% of the Unix category which is labeled 'Unknown'. Maybe there's a lot of System V, other BSD and AIX, but odds are those servers which don't provide info on their OS are likely to have similar mix as those which do identify their OS, so plurality if not majority Linux.

              • Avatar

                Roger Ramjet

                In reply to hrlngrv:

                I did Bing searches online, w3techs was referenced in some of the cases (Wikipedia for example) but also a bunch of others, IDC, Quora, etc, but I didn't keep records :-) What you found is consistent with some but by no means all, the numbers were all over the place. I think you are stretching the w3 data though there is nothing that says servers that don't provide info are a random reflection of those that do. I am not a techie, but not providing header info could actually be a signal that they are different from the population that does. Statisticians are typically wary of situations and assumptions like that. You need either day to day (you work at w3 or similar entity) expertise in the area, or you go do an actual count to make pronouncements there.

                • Avatar

                  hrlngrv

                  In reply to Roger Ramjet:

                  Every source I've seen puts Linux just a bit ahead of Windows and together they make up 2/3 of servers sampled.

                  With respect to these bugs, the Linux servers may be affected, and without further details, it'd be conservative to figure most of the servers with unidentified OSes would also be affected, so 2/3 of servers.

            • Avatar

              Waethorn

              In reply to Roger Ramjet:

              It doesn't matter. Windows Server only powers a small sliver of the Internet and most of the statistics of market share date back to 2-5 years ago. Windows was only a maximum of 30%, but Alexa data in 2015 showed it at less than 2%.

  9. Avatar

    John Scott

    I think the bigger picture too is that we used to just see operating system and software exploits. But now we are seeing more hardware issues and Intel simply trying to save face when this is obviously a problem that affects a whole lot of hardware regardless of OS or software or security a user has for a device. Is simply ignoring that hardware is very hard to change if its made badly. Yes patches will be released, but will they be enough? Paul is absolutely spot on, these problems seriously affect our cloud infrastructure at the hardware level too. A disturbing thought that maybe we will see even more issues found.

  10. Avatar

    Jules Wombat

    But this is Not just Intel chips, apparently according to BBC reports the Spectra flaw also exist in AMD and ARM based chips.

    There are many more ARM devices to deliver patches to than Intel. Android based devices hardly ever receive updates, so a lot of Smartphones out there remains at risk.

  11. Avatar

    Waethorn

    Kudos to Google for finding this stuff. Along with the revelation of Intel using Minix in their Management Engine chips, Google seems to be pretty good at exposing hardware security flaws at the silicon level. It's a wonder Microsoft didn't notice these things, considering all of the "partnering" they and Intel seem to be doing on the Surface product line.


    So the question remains: is Microsoft just incompetent, or complicit? Take your pick.

  12. Avatar

    mikiem

    Intel is publicly stating what their lawyers are telling them to say at this point, as class action law suits are IMHO inevitable. There *might* also be a case to be made that Intel committed fraud -- their CPUs were/are sold based on performance that they cannot now provide. Yes, circumstances have changed with Windows & *nix being patched, but Intel was in a MUCH better position to discover these flaws than Google -- they had to experiment to come up with working theories on how Intel CPUs worked -- and so should have known about it *if* they didn't already. As far as performance impact being insignificant, we'll have to see, but my guess is that there are many millions of devices out there using Intel's lower end CPUs that barely meet the threshold for usability -- even a relatively minimal performance hit might render them useless. If so, as these consumers seek remedies from the manufacturers & sellers, file warranty claims etc., at least some of those manufacturers & sellers will have their own lawyers going after Intel.


    Microsoft **might** also face some legal woes, if they force a Windows patch or patches that result in significant loss of performance -- it's long been argued in court that people have the right to engage in less safe behaviors, e.g. while some would like fast food outlets shut down, & some health-related issues legislated, hasn't happened. In many cases people have no choice but to run Windows 10, & if Microsoft intentionally breaks their devices, no matter how well intentioned their motives, that's on them.

    • Avatar

      spacein_vader

      In reply to mikiem:

      I'm not sure a class action based on loss of performance will work. Their argument will be they sold you a CPU that had (for example,) 4 cores at 3ghz. It still runs 4 cores at 3ghz so no performance has been lost.


      You may have based your purchasing decision on benchmarked performance indicators provided by 3rd parties (like review websites,) but Intel will claim they're not responsible for those and never directly claimed that performance in a given piece of software.


      Not saying I agree with it, but I can see them defending on that basis.

  13. Avatar

    wshwe

    Apparently the CEO of Intel had $24 million worth of reasons to mislead the industry. What was really irresponsible on Intel's part is hiding these vulnerabilities since last June.

    • Avatar

      wunderbar

      In reply to wshwe:

      No, that's actually responsible white hat security disclosure.


      Responsible white hat hacking is that when someone discovers a bug, they disclose it to the parties responsible, and then generally they work together to actually get a fix/patch into the pipeline *before* disclosing it to the public. Public disclosure in June, 6 months before there was a patch of any kind ready, would have meant more, and more significant exploits based on Meltdown with potentially disastrous consequences.


      6 months before disclosure is longer than normal, but I would make an educated guess that it's because it was a difficult vulnerability to mitigate, and in the case of Spectre, they still can't, and probably spent 6 solid months trying.

  14. Avatar

    Waethorn

    Can you imagine if Intel had to do a recall on this stuff? It would likely bankrupt the company, and then where would we be? Wintel would be obliterated.

    • Avatar

      offTheRecord

      In reply to Waethorn:

      Yeah, this is an interesting issue. We recently bought a new Intel-based laptop for a family member and are quite bummed about this. How do they even begin to "properly" market any of these same laptops today after what the world learned yesterday? Surely, there's got to be some kind of (huge) disclaimer provided at this point now that we know that pretty much every currently available CPU is flawed.

  15. Avatar

    Oscar Castillo

    Some of these vulnerabilities were addressed in macOS 10.3.2, with more fixes coming in 10.3.3. So was Intel working with Apple and other vendors behind the scenes well in advance of this coming out and keeping silent about it? Or were they doing nothing and these fixes just happen to mitigate some of these flaws?

  16. Avatar

    Crystal Walters

    Y2K will break the internet!!!!

Leave a Reply