Intel has responded to reports of a wide-reaching kernel memory security issue, saying that it is an industry-wide issue, and not specific to Intel — but the company fails to quantify specifically what it is doing to solve the problem.
Following initial reports of a problem with how Intel's X86 architecture fails to properly secure kernel memory, Intel issued a statement on Wednesday afternoon about the matter. In its declaration on the matter, Intel declares that AMD and ARM processors are subject to the same bug — despite AMD having already denied that it is afflicted.
Intel's statement in its entirety is as follows:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Despite Intel explicitly denying that it is a bug in its statement, Apple, Microsoft, and others are already dealing with the problem. Apple has already at least in part rectified the issue in macOS High Sierra 10.13.2 from December, with Microsoft apparently having a patch in the works for Windows 10.
Intel's statement also seems at least partially contrary to claims that performance would be impacted, and cloud computing venues such as Amazon EC2, Microsoft Azure, and Google Compute Engine would feel the impact most severely.
Update: More details have emerged about the trio of exploits that appear to have been combined for the original reporting from Tuesday night. Two of the vulnerabilities called "Meltdown" and "Spectre" can be executed on nearly every X86 device produced since 1997. Contrary to Intel's statement, one researcher informed ZDNet that an attacker could likely steal "any data on the system" but if the researcher was talking about drive or RAM contents wasn't clear.
Multiple watchdogs see no evidence of any exploits being used now, or in the past. However, on Wednesday, proof-of-concept code was revealed.
ARM has confirmed that the Cortex-A family is affected, but the Cortex-M chip found in "internet of things" devices is not.
"The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," AMD said in a statement. "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
49 Comments
It’s nothing new or a secret. It was there since 8086 and 8088 in the kernel. It was used by many governments on 80386 and onwards and as a back-door for decades. Fix it? No way.
I don't care if every CPU is compromised.. I still want a replacement or a refund.
By the time some hacker understands how to exploit the flaw, patch is already in place. No foul No harm!!.