Intel Claims Security Flaw Also Impacts Non-Intel Chips, Exploits Can't Corrupt, Modify or Delete Data [Updated]

Intel this afternoon addressed reports of a serious design flaw and security vulnerability in its CPUs, shedding additional light on the issue that was uncovered yesterday and has since received extensive media coverage.

In a statement on its website, Intel says that it planned to disclose the vulnerability next week when additional software patches were available, but was forced to make a statement today due to "inaccurate media reports."

According to Intel, the issue is not limited to Intel chips and the exploits in question do not have the potential to corrupt, modify, or delete data. Despite Intel's statement, Intel chips are more heavily impacted, and it's worth noting that Intel makes no mention of reading kernel level data.

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.

Intel says it is working with several other technology companies including AMD, ARM, and operating system vendors to "develop an industry-wide approach" to resolve the problem "promptly and constructively."

As outlined yesterday, the design flaw appears to allow normal user programs to see some of the contents of the protected kernel memory, potentially giving hackers and malicious programs access to sensitive information like passwords, login keys, and more. Fixing the issue involves isolating the kernel's memory from user processes using Kernel Page Table Isolation at the OS level.

Despite reports suggesting software fixes for the vulnerability could cause slowdowns of 5 to 30 percent on some machines, Intel claims performance impacts are workload-dependent and will not be noticeable to the average computer user.

Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel goes on to say that it believes its products are "the most secure in the world" and that the current fixes in the works provide the "best possible security" for its customers. Intel recommends that users install operating system updates as soon as they are available.

For Mac users, Apple has already addressed the design flaw in macOS 10.13.2, which was released to the public on December 6.

Update: Security researchers have now shared details about two separate critical vulnerabilities impacting most Intel processors and some ARM processors. Called Meltdown and Spectre, the vulnerabilities offer hackers access to data from the memory of running apps, providing passwords, emails, documents, photos, and more.

"Almost every system" since 1995 is impacted according to ZDNet, including computers and smartphones. Meltdown can read the entire physical memory of the target machine, while Spectre is able to break the isolation between different apps. Meltdown, an easy-to-use exploit, affects only Intel chips and can be addressed by a security patch, which could result in some performance issues. Spectre impacts all processors, including those from ARM and AMD, and while it is harder to exploit, there is no known fix. Fully addressing Spectre will require a re-architecture of how processors are designed.

It's not known if hackers have exploited Meltdown and Spectre as of yet, but there are proof-of-concept examples out in the wild. Google's Project Zero team had a hand in unearthing the vulnerabilities and Google has also shared details on the exploits. Full research papers on Meltdown and Spectre are available here.

Update 2: ARM and AMD have both issued statements following Intel's press release. AMD says there is a "near zero risk" to AMD processors at this time, while ARM says its processors are vulnerable.

From AMD:

There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected.

To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

From ARM:

I can confirm that ARM have been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

We are in the process of informing our silicon partners and encouraging them to implement the software mitigations developed if their chips are impacted.

Top Rated Comments

(View all)
Avatar
33 months ago

I wonder how long Intel has known about this flaw.

Apparently the CEO sold a lot of his stock on Nov 29th and kept the bare minimum amount.

https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx
Score: 26 Votes (Like | Disagree)
Avatar
33 months ago
I wonder how long Intel has known about this flaw.
Score: 26 Votes (Like | Disagree)
Avatar
33 months ago

No... after this, I doubt Intel on security, and from what I gather, this stretches all the way back to the Pentium Pro.

Also, I don't care if it modifies, writes or deletes... the most improtant thing the bug allows reading

At least those running DOS 6 and Windows 3.1 on a 486 are safe.
Score: 24 Votes (Like | Disagree)
Avatar
33 months ago
Shading AMD is just another Intel cheap shot. That company has problems.
Score: 21 Votes (Like | Disagree)
Avatar
33 months ago
No... after this, I doubt Intel on security, and from what I gather, this stretches all the way back to the Pentium Pro.

Also, I don't care if it modifies, writes or deletes... the most improtant thing the bug allows reading
Score: 18 Votes (Like | Disagree)
Avatar
33 months ago

I wonder how long Intel has known about this flaw.

I actually kind of doubt they knew about it. While AMD is not affected, it does look like ARM chips are affected. This flaw has potentially been around since Pentium Pro. If Intel knew about it, they'd have quietly fixed it rather than letting it go. I think this is just a really, really good find by the researchers.
Score: 17 Votes (Like | Disagree)

Top Stories

Apple Officially Obsoletes First MacBook Pro With a Retina Display

Wednesday July 1, 2020 3:40 am PDT by
As expected, Apple's first MacBook Pro with a Retina display is now officially classed as "obsolete" worldwide, just over eight years after its release. In a support document, Apple notes that obsolete products are no longer eligible for hardware service, with "no exceptions." This means that any mid-2012 Retina MacBook Pro 15-inch models still out there that require a battery or other...

New Mac Ransomware Found in Pirated Mac Apps

Tuesday June 30, 2020 11:44 am PDT by
There's a new 'EvilQuest' Mac ransomware variant that's spreading through pirated Mac apps, according to a new report shared today by Malwarebytes. The new ransomware was found in pirated download for the Little Snitch app found on a Russian forum. Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer...

Unreleased iMac With 10-Core Comet Lake-S Chip and Radeon Pro 5300 GPU Shows Up in Geekbench

Wednesday July 1, 2020 10:48 am PDT by
Benchmarks for an unreleased iMac equipped with a 10th-generation Core i9 Intel Comet Lake-S chip and an AMD Radeon Pro 5300 graphics card have surfaced, giving us an idea of what we can expect from a refreshed 2020 iMac. The Geekbench benchmarks, which appear to be legit, were found on Twitter and shared this morning by Tom's Hardware. The iMac in the benchmarks would be a successor to the...

Leaker: Future iPhone Models to Come in 'Exquisite' Thinner Box

Wednesday July 1, 2020 1:57 am PDT by
Leaker L0vetodream this morning posted a tweet corroborating recent rumors that Apple's "iPhone 12" lineup won't come with EarPods or a charger in the box, adding that this will also eventually apply to the existing second-generation iPhone SE. L0vetodream also claims that future iPhone packaging will be "thinner" and "exquisite," which would make sense if Apple's handsets are set to come in ...

Apple's A12Z Under Rosetta Outperforms Microsoft's Native Arm-Based Surface Pro X

Monday June 29, 2020 10:31 am PDT by
Apple's Developer Transition Kit equipped with an A12Z iPad Pro chip began arriving in the hands of developers this morning to help them get their apps ready for Macs running Apple Silicon, and though forbidden, the first thing some developers did was benchmark the machine. Multiple Geekbench results have indicated that the Developer Transition Kit, which is a Mac mini with an iPad Pro chip, ...

Kuo: iPhone 12 Models Won't Include Charger in Box, 20W Power Adapter Will Be Sold Separately

Sunday June 28, 2020 7:56 am PDT by
iPhone 12 models will not include EarPods or a power adapter in the box, analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. This lines up with a prediction shared by analysts at Barclays earlier this week. Kuo said that Apple will instead release a new 20W power adapter as an optional accessory for iPhones and end production of its existing 5W and 18W power adapters...

Rosetta 2 Benchmarks Surface From Mac Mini With A12Z Chip

Monday June 29, 2020 7:48 am PDT by
While the terms and conditions for Apple's new "Developer Transition Kit" forbid developers from running benchmarks on the modified Mac mini with an A12Z chip, it appears that results are beginning to surface anyhow. Image Credit: Radek Pietruszewski Geekbench results uploaded so far suggest that the A12Z-based Mac mini has average single-core and multi-core scores of 811 and 2,781...

Display Analyst Once Again Says No 120Hz ProMotion Display Coming to iPhone 12 Pro

Wednesday July 1, 2020 11:29 am PDT by
Apple's iPhone 12 models will not feature an upgraded 120Hz ProMotion display, according to display analyst Ross Young. Young previously said that Apple would not implement ProMotion technology until it adopted low-power LTPO display technology, a move Apple is not expected to make until 2021. In a tweet shared this morning, Young said that the none of his contacts have been able to...

Apple Seeds Third Betas of iOS and iPadOS 13.6 to Developers [Update: Public Beta Available]

Tuesday June 30, 2020 10:06 am PDT by
Apple today seeded the third betas of upcoming iOS and iPadOS 13.6 updates to developers, three weeks after seeding the second betas and over a month after releasing iOS/iPadOS 13.5 with Exposure Notification API, Face ID updates, Group FaceTime changes, and more. iOS and iPadOS 13.6 can be downloaded from the Apple Developer Center or over the air once the proper developer profile has been...

The New York Times Ends Apple News Partnership and Pulls All Articles

Monday June 29, 2020 11:17 am PDT by
The New York Times today announced that it is pulling out of Apple News, as the service does not "align with its strategy of building direct relationships with paying readers." Starting today, articles from The New York Times will no longer show up in the Apple News app. The news site says that Apple has given it "little in the way of direct relationships with readers" and "little control...