Intel claims CPU security flaw not unique to its chips, implies ARM and AMD chips could be...
Intel has responded to reports of a wide-reaching kernel memory security issue, saying that it is an industry-wide issue, and not specific to Intel -- but the company fails to quantify specifically what it is doing to solve the problem.
Following initial reports of a problem with how Intel's X86 architecture fails to properly secure kernel memory, Intel issued a statement on Wednesday afternoon about the matter. In its declaration on the matter, Intel declares that AMD and ARM processors are subject to the same bug -- despite AMD having already denied that it is afflicted.
Intel's statement in its entirety is as follows:
Intel's statement also seems at least partially contrary to claims that performance would be impacted, and cloud computing venues such as Amazon EC2, Microsoft Azure, and Google Compute Engine would feel the impact most severely.
Update: More details have emerged about the trio of exploits that appear to have been combined for the original reporting from Tuesday night. Two of the vulnerabilities called "Meltdown" and "Spectre" can be executed on nearly every X86 device produced since 1997. Contrary to Intel's statement, one researcher informed ZDNet that an attacker could likely steal "any data on the system" but if the researcher was talking about drive or RAM contents wasn't clear.
Multiple watchdogs see no evidence of any exploits being used now, or in the past. However, on Wednesday, proof-of-concept code was revealed.
ARM has confirmed that the Cortex-A family is affected, but the Cortex-M chip found in "internet of things" devices is not.
"The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," AMD said in a statement. "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
Following initial reports of a problem with how Intel's X86 architecture fails to properly secure kernel memory, Intel issued a statement on Wednesday afternoon about the matter. In its declaration on the matter, Intel declares that AMD and ARM processors are subject to the same bug -- despite AMD having already denied that it is afflicted.
Intel's statement in its entirety is as follows:
Despite Intel explicitly denying that it is a bug in its statement, Apple, Microsoft, and others are already dealing with the problem. Apple has already at least in part rectified the issue in macOS High Sierra 10.13.2 from December, with Microsoft apparently having a patch in the works for Windows 10.Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Intel's statement also seems at least partially contrary to claims that performance would be impacted, and cloud computing venues such as Amazon EC2, Microsoft Azure, and Google Compute Engine would feel the impact most severely.
Update: More details have emerged about the trio of exploits that appear to have been combined for the original reporting from Tuesday night. Two of the vulnerabilities called "Meltdown" and "Spectre" can be executed on nearly every X86 device produced since 1997. Contrary to Intel's statement, one researcher informed ZDNet that an attacker could likely steal "any data on the system" but if the researcher was talking about drive or RAM contents wasn't clear.
Multiple watchdogs see no evidence of any exploits being used now, or in the past. However, on Wednesday, proof-of-concept code was revealed.
ARM has confirmed that the Cortex-A family is affected, but the Cortex-M chip found in "internet of things" devices is not.
"The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," AMD said in a statement. "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
Comments
There is MUCH more to this story (Intel claims this was uncovered by Google "a couple of months ago", but Apple had a fix out Dec 6th (OS X 10.3.2)). In the Interview Intel's CEO seemed to the scold the press for highlighting an unfortunate leak by a Linux programmer (who posted his findings on GitHub).
Intel also notes how the "industry" is working together to provide software fixes - without noting that those don't solve the hardware problem. And if not carefully tailored to fix the kernel issues on an individual chip basis the software fixes could cause serious issues for non-affected chips (including Apple's and AMD's - remember that virtual OS can be chip agnostic).
Email from Tom Lendacky SMTS Software Engineer - AMD
Except over a billion Android devices that will never see a patch to fix this.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Any legal insight into this would be welcome.
I'm willing to give Intel the benefit of the doubt and take a wait-and-see approach. They do seem to have some pretty sharp business and engineering minds in their ranks. Let's see what they will do in conjunction with their OS vendor partners.
Just my opinion, but I've always found that the least productive and most damaging reaction to anything that like this is panic. Panic coupled with a lack of data, speculation, and insufficient understanding of the issue will most certainly latch the Bozo Bit and cause normally stable people to do really stupid things, like wrapping their PC in tin foil and burying it in the backyard, or reverting to using an abacus as their only computing device. Hopefully the media won't run amok with this like they so often do with anything Apple related.
This guy kind of speculated about this exact vulnerability several months ago. https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/