Update, 1/4/18, 8:00am PT: We now have statements from several semiconductor vendors and news on the exploits. Read more at: Understanding The Meltdown And Spectre Exploits: Intel, AMD, ARM and Nvidia.
Intel's stock took a pounding this morning as reports of a fatal bug inside the company's processors swept the web. We cautioned that many of the performance claims felt a bit overblown, and in fact, testing with the patched Windows operating systems emerged over the last few hours. Those preliminary tests reveal that there is little to no performance regression in most desktop workloads, with synthetic I/O tests inflating the issue.
Intel's silence on the "bug" was deafening over the last 24 hours as the story unfolded, but now the company has issued a statement that contends there is, in fact, no bug at all. The company claims the issue affects many other vendors and is not inherent to Intel architectures. Below is Intel's statement in full:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Intel included several key points in the statement, with one of the most evident being the mention of collaboration with AMD and ARM Holdings to combat the issue. Intel's stocks tumbled a whopping 7% earlier in the day as AMD skyrocketed to a 10% gain. This was largely due to reports that AMD processors did not suffer from the same "bug" as Intel processors. Immediately following the statement, AMD began to erase some of the gains made earlier in the day, falling to +4%, while Intel began climbing again to -4%. The stock continues to move in those directions for both companies.
Earlier in the day, analyst firm Bernstein also claimed that the bug could cost Intel hundreds of millions. The firm compared the current situation to Intel's $475 million charge for the Pentium FDIV bug in 1994 and the $700 million charge for the Cougar Point chipset issues in 2011. According to Intel, neither of those cases are similar to the current situation. Of course, these claims may be disputed by some of Intel's customers, but given the other vendors involved, that seems like a slight chance.
It is noteworthy that Intel believes the exploit does not have "the potential to corrupt, modify or delete data." Given the wording, this implies the exploit can read data. Intel had planned to announce the exploit next week as patches roll to end users.
According to Intel, the end is not nigh. Although there are performance implications, Intel and other companies have patches ready to address the security issue and will "mitigate" performance impacts over time. There are performance implications for data center operators, but those will likely be addressed with a combination of software updates and future tweaks to the patch. Intel's statement opens the floor for other companies to weigh in with their version of events. We'll follow up as more details emerge.
