Intel, AMD, ARM All Make Statements About Epic CPU Bug… Alongside New Details About The Bug

This morning it came to light that there was a memory access design flaw in Intel processors and fixing it could lead to a performance drop.

Security researchers have now shared details about two separate critical vulnerabilities impacting most Intel processors and some ARM processors. Called Meltdown and Spectre, which sound like the names of James Bond movies. But I digress. The vulnerabilities offer hackers access to data from the memory of running apps, providing passwords, emails, documents, photos, and more. In short, if you have bought a computer or smartphone since 1995, the pwnage is real for you but it is patchable. However, Spectre impacts all processors, including those from ARM and AMD, and while it is harder to exploit, there is no known fix. Fully addressing Spectre will require a re-architecture of how processors are designed. Google has also shared details on the exploits. Full research papers on Meltdown and Spectre are available here. Oh yeah, proof of concept exploits are in the wild as we speak. It’s not known if hackers have exploited Meltdown and Spectre. But if they haven’t, they will.

Late today Intel came out with a statement posted on its website, Intel says that it planned to disclose the vulnerability next week when additional software patches were available, but was forced to make a statement today due to “inaccurate media reports.” Whatever that means. Here’s part of the statement:

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Interesting. A statement that’s designed to create plausible deniability and avoid a massive lawsuit. But wait, there’s more!

Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

That’s clearly designed to blunt any criticisms of the whatever patches are needed to fix this. Interestingly,  AMD came out with a statement that says this:

There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected.

To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

And ARM says this:

I can confirm that ARM have been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

We are in the process of informing our silicon partners and encouraging them to implement the software mitigations developed if their chips are impacted.

Sounds like of the three, ARM is the most honest. With AMD coming in a very close second. Intel strangely says nothing about reading kernel level data in their statement. You have to wonder why that is.

Advertisements

One Response to “Intel, AMD, ARM All Make Statements About Epic CPU Bug… Alongside New Details About The Bug”

  1. […] Ouch. That’s a slap to the face. But to be fair, I said this yesterday when I covered the release of this statement: […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: