Intel Disputes CPU Bug Claims

Update, 1/4/18, 8:00am PT: We now have statements from several semiconductor vendors and news on the exploits. Read more at: Understanding The Meltdown And Spectre Exploits: Intel, AMD, ARM and Nvidia.

Intel's stock took a pounding this morning as reports of a fatal bug inside the company's processors swept the web. We cautioned that many of the performance claims felt a bit overblown, and in fact, testing with the patched Windows operating systems emerged over the last few hours. Those preliminary tests reveal that there is little to no performance regression in most desktop workloads, with synthetic I/O tests inflating the issue.

Intel's silence on the "bug" was deafening over the last 24 hours as the story unfolded, but now the company has issued a statement that contends there is, in fact, no bug at all. The company claims the issue affects many other vendors and is not inherent to Intel architectures. Below is Intel's statement in full:

Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.

Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.

Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.

Intel included several key points in the statement, with one of the most evident being the mention of collaboration with AMD and ARM Holdings to combat the issue. Intel's stocks tumbled a whopping 7% earlier in the day as AMD skyrocketed to a 10% gain. This was largely due to reports that AMD processors did not suffer from the same "bug" as Intel processors. Immediately following the statement, AMD began to erase some of the gains made earlier in the day, falling to +4%, while Intel began climbing again to -4%. The stock continues to move in those directions for both companies.

Earlier in the day, analyst firm Bernstein also claimed that the bug could cost Intel hundreds of millions. The firm compared the current situation to Intel's $475 million charge for the Pentium FDIV bug in 1994 and the $700 million charge for the Cougar Point chipset issues in 2011. According to Intel, neither of those cases are similar to the current situation. Of course, these claims may be disputed by some of Intel's customers, but given the other vendors involved, that seems like a slight chance.

It is noteworthy that Intel believes the exploit does not have "the potential to corrupt, modify or delete data." Given the wording, this implies the exploit can read data. Intel had planned to announce the exploit next week as patches roll to end users.

According to Intel, the end is not nigh. Although there are performance implications, Intel and other companies have patches ready to address the security issue and will "mitigate" performance impacts over time. There are performance implications for data center operators, but those will likely be addressed with a combination of software updates and future tweaks to the patch. Intel's statement opens the floor for other companies to weigh in with their version of events. We'll follow up as more details emerge.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
    Top Comments
  • MattZN
    Intel's statement is an outright, purposeful deception. They brought up the spectre of data modification and completely avoided mentioning the actual bug, which is the ability to read the contents of kernel memory, when not a single person was talking about data modification and everyone was talking about the ability to read kernel memory. Being able to read kernel memory completely destroys the security of the machine, period. You don't NEED to be able to modify memory when you can steal the encryption keys!

    Intel then went on to try to include all other cpu vendors in their little party, to make it seem like it was normal or at least not something Intel-specific. Except this bug *IS* Intel-specific. AMD doesn't suffer from it. ARM doesn't suffer as badly. Sure, there are generally some issues due to speculative timing attacks. But this bug on Intel is the thousand-pound gorilla and they are playing light with it in their statements.

    And also in statements, Intel is trying to pass-off the 'fix' that all of us OS programmers have to do, as being something minor. It isn't minor. We have to completely destroy user->kernel transition efficiency by changing out the MMU page tables (%CR3 reload) for every user->kernel and kernel->user transition. THAT SUCKS ROCKS! 150ns system call overhead increases to over 400ns. that isn't minor. That's a show-stopper.

    It may be that some classes of problems won't care so much, because they don't make a lot of system calls or take a lot of interrupts, but I guarantee you that there are a LOT of classes of problems that do care, particularly on the server side and in the cloud. I sure as hell care. Intel is wasting god knows how many millions of man hours of people's time dealing with this junk.
    All because Intel can't get its house in order. First the management engine, then the hyper-threading bug, and now this junk. I'm sick and tired of it.

  • Other Comments
  • benbennett
    Directly from AMD

    "AMD processors are not subject to the types of attacks that the kernel
    page table isolation feature protects against. The AMD microarchitecture
    does not allow memory references, including speculative references, that
    access higher privileged data when running in a lesser privileged mode
    when that access would result in a page fault.

    Disable page table isolation by default on AMD processors by not setting
    the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
    is set."
  • jpwalters1
    Though the doomsday scenario may be overblown, you must also consider that Intel has a vested interest in downplaying the impact if any, as well as implicating as many other competitors as possible. I think we need to wait and see.
  • tamalero
    Hang on, what windows tests? almost every single test posted online abvout the patch was of linux.

    Also the language you're using in both articles almost seems like you were paid to protect intel.

    Also the intel verbiage seems to be trying to claim other processors have this flaw, which AMD said its false.