Spectre and Meltdown affect practically all CPUs that have been produced by Intel — as well as many from ARM and AMD — since the late 1990s, and security researchers warn the impacts of those vulnerabilities could haunt the IT industry for years to come. Both bugs affect how processors manage kernel memory, creating the potential for malicious actors to access memory anywhere on a device.
Intel’s announcement comes a few days before Data Privacy Day, an annual observation in the U.S. and Canada sponsored by the National Cyber Security Alliance. Held every Jan. 28, the theme of this year’s Data Privacy Day is “Respecting Privacy, Safeguarding Data and Enabling Trust.”
Despite the fact its chips have been at the center of the Spectre and Meltdown storm, Intel has not yet seen an impact to its bottom line, executives reported yesterday during the company’s earnings call. In fact, Krzanich (pictured above) said 2017 was “a record year for Intel,” and the company expects to benefit greatly in the year ahead from the corporate tax cut package recently approved by Congress.
First Silicon-Based Fixes Out Later this Year
While news of the chip vulnerabilities emerged to the public early this month, Intel and other companies had already been working on software-based patches to reduce the security risks in microprocessors found in everything from PCs and laptops to servers and smartphones. However, some of those efforts were slowed after early fixes caused devices to reboot and otherwise behave unpredictably. Patches also slowed down the processing speeds of some computers.
On Monday, Navin Shenoy, executive vice president and general manager of Intel’s Data Center Group, said in a news post that the company was testing a new patch with partners. Until that fix can be released, manufacturers, vendors, and end-users should stop deploying earlier patches, he added.
Yesterday, Krzanich said Intel’s immediate focus was on coming out with “high quality mitigations” to protect customers from potential exploits.
“We’re working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware,” Krzanich said at the beginning of the earnings call. “And those products will begin appearing later this year.”
Cybersecurity ‘A Collective Responsibility’
While Spectre and Meltdown didn’t dampen Intel’s 2017 financial year, which saw $62.8 billion in reported revenue, the bugs could lead to long-term headaches for both customers and the company itself. Krzanich, for instance, is facing investigation for having sold a large amount of his personal Intel stock before news of the vulnerabilities became public. The company could also face a number of class-action lawsuits related to the chip flaws.
Members of the U.S. House Energy and Commerce Committee on Wednesday sent a letter to Intel — as well as to Amazon, AMD, ARM, Apple, Google, and Microsoft — asking for details on the tech industry’s information embargo regarding Spectre and Meltdown.
“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” committee members said in the letter. “As demonstrated by numerous incidents over the past several years, cybersecurity is a collective responsibility.”
In a blog post published earlier today, cybersecurity expert Bruce Schneier wrote that both Spectre and Meltdown stem from the demand from tech companies and consumers for ever-faster performance by a wide range of computing devices. They also portend a future where more devices are attacked at the hardware, rather than software, level, he added.
“Increasingly, everything is a computer: not just your laptop and phone, but your , your appliances, your medical devices, and global infrastructure,” Schneier said. “These computers are and always will be vulnerable, but Spectre and Meltdown represent a new class of vulnerability. Unpatchable vulnerabilities in the deepest recesses of the world’s computer hardware is the new normal. It’s going to leave us all much more vulnerable in the future.”
Image credit: Walden Kirsch/Intel Corporation.
When ‘we’ discovered, exposed and notified Intel about the issue and how we had to rebuild all Intel devices with our secret sauce in deployments starting 3 years ago, when we reached out to those we knew, since then many of those people left the company.
I find it odd to learn ‘when’ the CEO exercised his options and sold his stock. Hell even some of the divisions at Intel were not notified internally on a timely basis for instance, like the automotive group. As a shareholder, the CEO and virtually (pun intended) the executives that either knew or the engineers that probably knew and were out-flanked by marketing to ‘go faster’.
I think a systematic complete draining of the idiots that were not paying attention and who have now created a huge liability and damage to the Intel brand integrity should go find other work.
Bruce Schneier’s comments are spot-on and 2018-19 company results will be interesting. For those that are interested to actually understand what we did and delivered to customers — a system without spectre and/or meltdown issues — I’ll quietly respond to credible inquiries at [email protected]
Of course not. Intel is not going to have to pay anything for the problem. In addition, if the patch is not fully effective or has any performance penalty, they will sell a lot of processors sooner than they otherwise would have. The likely result of this gift, not bug, is going to be a couple of years of sharply increased sales as years worth of defective processors are replaced at full cost.