Intel CEO Brian Krzanich has pledged to restore consumer confidence in its company’s products security “as quickly as possible,” in the wake of two major flaws revealed last week. Meltdown and Spectre affect almost all modern processors, and companies have scrambled to mitigate the issues and ensure data is protected.
The two issues sound similar, but they operate very differently. Meltdown breaks the barriers between programs and memory, meaning that the operating system developer will need to release a security update to stop attackers from taking advantage. Spectre is about using other applications to reveal protected data, which makes it both harder to prevent but also harder to exploit in the first place.
The research team, which includes collaborators from the Google Project Zero security team alongside academics, claimed in a January 3 post that every Intel processor released after 1995, bar a select few, is potentially affected by Meltdown. ARM has confirmed some of its own processors are also affected by Meltdown. Spectre affects almost every system on the market, and the team verified its presence in Intel, AMD and ARM processors.
In an open letter released Thursday, Krzanich outlined three pledges to consumers:
Customer-First Urgency. By January 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
Transparent and Timely Communications. As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.
Ongoing Security Assurance. Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
Krzanich’s letter is the latest move in the fight to protect against the flaws. Apple announced last week that its Mac, iPhone, iPad, Apple TV and Apple Watch devices were affected to varying degrees by the flaws, and that it would release updates over time to protect against Spectre as much as possible. The company already protected against Meltdown with a series of software updates in December. Microsoft is also taking steps to protect Windows users.
However, there is a fear that patching against these issues can have an adverse effect on performance. The Register reported that, depending on the task, performance could slow down anywhere between five and 30 percent. More recent Intel processors have features like process-context identifiers that could help avoid slowdowns.
Microsoft has admitted that older systems will see a decrease in performance through these updates. Windows 10 PCs from 2016 onwards, running on Intel Skylake or newer chips, will see minimal slowdown. Windows 8 and older PCs from 2015 or earlier will see a larger slowdown. If it means data security, though, at least users can rest assured these updates will help protect against attacks.