Intel Disputes CPU Bug Claims
Update, 1/4/18, 8:00am PT: We now have statements from several semiconductor vendors and news on the exploits. Read more at: Understanding The Meltdown And Spectre Exploits: Intel, AMD, ARM and Nvidia.
Intel's stock took a pounding this morning as reports of a fatal bug inside the company's processors swept the web. We cautioned that many of the performance claims felt a bit overblown, and in fact, testing with the patched Windows operating systems emerged over the last few hours. Those preliminary tests reveal that there is little to no performance regression in most desktop workloads, with synthetic I/O tests inflating the issue.
Intel's silence on the "bug" was deafening over the last 24 hours as the story unfolded, but now the company has issued a statement that contends there is, in fact, no bug at all. The company claims the issue affects many other vendors and is not inherent to Intel architectures. Below is Intel's statement in full:
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices -- with many different vendors' processors and operating systems -- are susceptible to these exploits.Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.
Intel included several key points in the statement, with one of the most evident being the mention of collaboration with AMD and ARM Holdings to combat the issue. Intel's stocks tumbled a whopping 7% earlier in the day as AMD skyrocketed to a 10% gain. This was largely due to reports that AMD processors did not suffer from the same "bug" as Intel processors. Immediately following the statement, AMD began to erase some of the gains made earlier in the day, falling to +4%, while Intel began climbing again to -4%. The stock continues to move in those directions for both companies.
Earlier in the day, analyst firm Bernstein also claimed that the bug could cost Intel hundreds of millions. The firm compared the current situation to Intel's $475 million charge for the Pentium FDIV bug in 1994 and the $700 million charge for the Cougar Point chipset issues in 2011. According to Intel, neither of those cases are similar to the current situation. Of course, these claims may be disputed by some of Intel's customers, but given the other vendors involved, that seems like a slight chance.
It is noteworthy that Intel believes the exploit does not have "the potential to corrupt, modify or delete data." Given the wording, this implies the exploit can read data. Intel had planned to announce the exploit next week as patches roll to end users.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
According to Intel, the end is not nigh. Although there are performance implications, Intel and other companies have patches ready to address the security issue and will "mitigate" performance impacts over time. There are performance implications for data center operators, but those will likely be addressed with a combination of software updates and future tweaks to the patch. Intel's statement opens the floor for other companies to weigh in with their version of events. We'll follow up as more details emerge.
Paul Alcorn is the Managing Editor: News and Emerging Tech for Tom's Hardware US. He also writes news and reviews on CPUs, storage, and enterprise hardware.
-
benbennett Directly from AMDReply
"AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set." -
jpwalters1 Though the doomsday scenario may be overblown, you must also consider that Intel has a vested interest in downplaying the impact if any, as well as implicating as many other competitors as possible. I think we need to wait and see.Reply -
tamalero Hang on, what windows tests? almost every single test posted online abvout the patch was of linux.Reply
Also the language you're using in both articles almost seems like you were paid to protect intel.
Also the intel verbiage seems to be trying to claim other processors have this flaw, which AMD said its false.
-
PaulAlcorn 20555002 said:Hang on, what windows tests? almost every single test posted online abvout the patch was of linux.
Also the language you're using in both articles almost seems like you were paid to protect intel.
Also the intel verbiage seems to be trying to claim other processors have this flaw, which AMD said its false.
The Windows tests are linked in the text. https://www.computerbase.de/2018-01/intel-cpu-pti-sicherheitsluecke/
AMD has not released a statement about the vulnerabilities.
ARM disclosed a few minutes ago that it also is subject to the vulnerability. The company claims the vulnerability is not the the result of "Architectural flaws."
We will update the post when AMD makes an official statement. -
milkton "this implies the exploit can read data" It's just me but imagine what CIA could have done with this all over the world. But I'm sure CIA didn't have idea about this... or maybe not?Reply -
silverwolf.bwc Haha, where's your post patching Benchmarks? Until you complete those and publish them, all this smacks of paid protection of Intel stock prices.Reply -
PaulAlcorn 20555121 said:Haha, where's your post patching Benchmarks? Until you complete those and publish them, all this smacks of paid protection of Intel stock prices.
https://www.computerbase.de/2018-01/intel-cpu-pti-sicherheitsluecke/
These are preliminary results. Computerbase.de has a solid history of accurate test methodology. -
ldcsteelers What about Cloud providers? They must be shaking in their shoes. Customer A can use this exploit to read data from Customer B.Reply -
wifiburger Yep the bug is real and by early estimates there’s a huge 30% cpu penalty to fix this hardware flaw, OS doesn’t matterReply
Good thing I have my Ryzen