Every computer in the world might be compromised by the biggest-ever security flaw—and Silicon Valley has known about it for months.
The Register preempted a coordinated press release from big tech about two microchip attacks that leave personal and sensitive information open to attack even when all software is running properly.
At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.
As news circulated about the bug, tech companies and researchers began releasing available information in their quest to maintain credibility and assuage public fear.
Intel, whose chips run many computers, issued a statement in its newsroom.
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
A back-and-forth emerged between chip designers at AMD and Intel over whether security flaws affected all computer chips or just those with a specific design flaw.
In an email to WIRED, AMD noted that the research was performed in a “controlled, dedicated lab environment,” and that because of its processor architecture the company believes that “there is near zero risk to AMD products at this time.”
Intel shot back that the security flaw is universal and that chip manufacturers are working together to solve the problem.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits.
Other companies have been working hard to explain to users how software patches will keep their information safe while they use technology built with these flawed chips.
Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” the company said in a statement. “We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”
Amazon’s cloud services are also affected by the bug, prompting it to address the controversy.
“This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices,” the company said in a statement. “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.”
Apple has remained characteristically quiet, refusing to comment on how the chip malfunction could hinder processing on its machines, according to Bloomberg.
There has also been a dispute about how patches will affect computer performance. The initial report from The Register suggests that a significant drop in processing speed would be required to fix the bug.
Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we’re looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.
Intel disputed that most users would see any difference in their machine’s speed or capability.
Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Silicon Valley has scrambled to address these security flaws, given that the report in The Register came before a planned press release, which would have been issued after measures had been taken to fix security flaws.
Intel Chief Executive Officer Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue “a couple of months ago.”
“Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place,” Krzanich said, explaining how the company responded to the issue.
Now Intel is facing more sinister accusations: that company executives—notably CEO Brian Krzanich—started offloading their stock before news broke of the product flaw.
Google informed Intel of the vulnerability in June, an Intel representative told Business Insider in a statement.
That means Intel was aware of the problem before Krzanich sold off a big chunk of his holdings. Intel’s CEO saw a $24 million windfall November 29 through a combination of selling shares he owned outright and exercising stock options.
The stock sale raised eyebrows when it was disclosed, primarily because it left Krzanich with just 250,000 shares of Intel stock — the bare minimum the company requires him to hold under his employment agreement.
Now, Intel will have an uphill battle to maintain credibility on the issue, as consumers will read its messages with skepticism.
What should Intel do to regain consumer trust? Is it doing enough to combat what it says are false narratives?