Intel: Updates Will Make Chips “Immune” From New Security Vulnerabilities

Posted on January 4, 2018 by Paul Thurrott in Hardware with 19 Comments

Intel: Updates Will Make Chips "Immune" From New Security Vulnerabilities

Following up on this week’s debacle, Intel said tonight that it is “rapidly issuing updates” for its chipsets that will render those systems “immune” from both recently-reported exploits.

Intel addressed a number of issues in today’s statement, and it continues to claim that the impact from the two major vulnerabilities—called “Spectre” and “Meltdown”—has been exaggerated and will be fully mitigated over time.

And this is true on all of the Intel-based systems out there, not just PCs. Intel says that it and its partners—like Microsoft—have “made significant progress in deploying updates as both software patches and firmware updates” on personal computers and servers.

“Intel has already issued updates for the majority of processor products introduced within the past five years,” the Intel statement reveals. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.”

With regards to the performance impact of the fixes for these vulnerabilities, again Intel is citing what it believes are exaggerated reports.

“The performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time,” the firm notes. “While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”

But Intel continues to claim, alarmingly, that the flaws that led to these exploits are not “bugs” in its processors.

“This is not a bug or a flaw in Intel products,” the company writes. “These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”

I take exception to that claim: The systems may be working as designed, and they may work similarly to other processors from other companies. But this is very much the result of one or more design bugs, or flaws. And stating otherwise reeks of legal double-talk, an attempt to avoid a class-action lawsuit or similar.

Anyway, Intel says that it will continue working with its partners to address the recently-revealed problems. The assumption here is that further updates may be needed, and that things will only improve over time. But the firm says it is not aware of any real-world malware based on these exploits. Surely, that is only a matter of time.

 

Tagged with ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (19)

19 responses to “Intel: Updates Will Make Chips “Immune” From New Security Vulnerabilities”

  1. Avatar

    lvthunder

    So what is getting patched? Is it Motherboard firmware, Windows, Chipset drivers, etc? Does anyone know?

  2. Avatar

    TomKer

    "But the firm says it is not aware of any real-world malware based on these exploits."


    Let's ask the NSA. Bet they have something.

  3. Avatar

    William Kempf

    It's word play, but you can't blame Intel for not wanting to call this a bug. The general attitude towards "bugs" is that they are mistakes made in software that's the fault of the developers. If this "bug" exists for Intel, AMD and ARM chips it's very hard to blame anyone specific, is it not? The chips were designed to work a certain way, and they function just fine in that manner. Someone just found a way to use the chips in a way not intended. Is this serious? You bet. Do they need to address the problem? Absolutely. But you can sort of see the case for this not being labelled as a bug, and you certainly shouldn't be singling out any individuals for negligence here. It sucks, and we want to lay blame somewhere, but the reality is there isn't really anyway to prevent things like this from happening.

  4. Avatar

    Roger Ramjet

    But Intel continues to claim, alarmingly, that the flaws that led to these exploits are not “bugs” in its processors.


    I think this is just a semantic thing. Intel will not win because the feeding frenzy has changed the language long before now, and rest assured there is another feeding frenzy right now. An analogy is you have a well designed lock on your front door. But if a skilled locksmith, as well trained as the designer, is given an indefinite amount of time to find a way to open it, he would do it. Is this a bug, or flaw in the design, or just the nature of humans, how we got from spears and shields to whatever the militaries have now?

    Essentially the language, in the tech industry, has evolved to call it a bug, and Intel is now belatedly saying they don't agree; a bug or flaw would be something more like if someone had a similar key and turned it just right the door would open (in their interpretation) contrary to the manufacturer's expectations.



  5. Avatar

    annashetty

    This is sooooo irritating. I can find anything on this website. No fan-club registration info anywhere. 

    watch full movies online

  6. Avatar

    Polycrastinator

    Last BIOS update that was released for my Intel desktop board was in 2013 (Ivy Bridge generation). It'll be interesting, I guess, to see if they'll release an update for something so old.

  7. Avatar

    davidblouin

    Maybe if some people weren't that eager to share new vulnerability with plenty of details every time they find one we wouldn't be in this mess every six months are so... just saying.

    • Avatar

      mikiem

      In reply to davidblouin:

      That's how security researchers get noticed, & they hope get job offers etc. that lead to fatter bank accounts. At the same time, the security industry as a whole benefits, because news of new exploits is essentially free advertising. Spectre & Meltdown don't fit that biz plan -- it's not something security software can claim to cure -- but it's an example their habitual mindset... the more we focus on potential threats, the better their biz & profits.

  8. Avatar

    pderosa

    Spectre has from now until forever to be improved. I do not think they have entirely fixed what already exists with this, but even if they have this is definitely going to evolve into a more specialized and refined attack.


    Paul, this is just a random idea, but have you considered writing about Project Midori and Sing# with respect to this issue?

    • Avatar

      mikiem

      In reply to pderosa:

      "...but even if they have this is definitely going to evolve into a more specialized and refined attack."


      But will this evolving happen in the hands of cyber criminals or spies, or under the auspices of the security industry? Humans most likely will remain the weakest link -- why do more work than you have to -- and it's doubtful any advancements re: Spectre &/or Meltdown will see a decline in phishing, spam etc.

  9. Avatar

    Jhambi

    KB4056892  - Windows update just installed it, pending restart. Hopefully doesn't slow down too much

    • Avatar

      mikiem

      In reply to Jhambi:

      "Hopefully doesn't slow down too much"


      We've got some lower powered Windows devices I'm a bit worried about in that regard, e.g. a miniPC running a Celeron as a HTPC. From what I've read it shouldn't effect media playback too much, but just in case I'm thinking about making sure the registry key for AV compatibility never gets added.


      support[.]microsoft[.]com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released

    • Avatar

      JimP

      In reply to Jhambi:


      You should be able to run this utility from Intel to determine whether or not the fix actually fixed the vulnerability:


      downloadcenter.intel.com/download/27150

  10. Avatar

    ncn

    No ... it's not a flaw or a bug. What they are doing is reacting to an unanticipated advance in malware technology. And by the way, Paul, I believe you are wrong when you surmised this technique could be used to gather data from one user address space to another. My understanding is that it works only in the host address space and potentially parts of the kernel address space. This is because the active page tables and translation lookaside buffer only hold entries for those two spaces at any one time. You'd have to find where the kernel itself was cooperating by bringing someone else's data into the kernel space for you. The current exploits only gather data from the infected address space ... as it may become a little obvious when all of a suddent you start getting hundreds of read-protect hits against the kernel space.

    • Avatar

      wright_is

      In reply to ncn:

      Meltdown is the Kernel memory problem, Spectre allows inter and intra process data nabbing, although restricted to something like 1500 bytes a second. I believe though, that it is limited to a 4GB address range.

  11. Avatar

    mikiem

    "Intel said tonight that it is “rapidly issuing updates” for its chipsets that will render those systems “immune” from both recently-reported exploits."...

    "Anyway, Intel says that it will continue working with its partners to address the recently-revealed problems. The assumption here is that further updates may be needed, and that things will only improve over time."


    Problem is, Intel makes chip/chipset updates available to manufacturers, not end users -- how many manufacturers are going to actually issue updates on hardware, especially last year's models & older?


    "But the firm says it is not aware of any real-world malware based on these exploits. Surely, that is only a matter of time."


    It's only a matter of time because part of the way the security industry works is a scam... Imagine if the DEA also ran R&D for illegal drug suppliers. Same thing really. Yes, security researchers collecting bug bounties & such is cool -- it helps everyone because software gets better because of it. But Spectre & Meltdown should be a wake up call -- it's time to take a better look at how the security industry pushes extremes. Yes, exploits based on the two are possible, but would anyone have ever pursued them real world? Would anyone ever have pursued them real world?


    As info becomes available, it appears that where Intel & AMD differ in this case is that Intel left out safety checks in pursuit of better performance, IMHO likely because their engineers felt [perhaps rightly] that developing & using exploits taking advantage of the absence of those checks was extremely impractical. At least in 2015... over the next year increasingly advanced How-To manuals & ever more efficient proof-of-concepts will no doubt be published by security folks, based on their work starting mid-2016 -- the continual advancement of cyber crime after all is necessary for their industry's growth, job security, & profits.

Leave a Reply