Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jan 11, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Intel CEO Brian Krzanich today wrote an open letter to Intel customers following the "Meltdown" and "Spectre" hardware-based vulnerabilities that impact its processors.

    In the letter, Krzanich says that by January 15, updates will have been issued for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder coming at the end of January.

    For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X.

    According to Krzanich, going forward, Intel promises to offer timely and transparent communications, with details on patch progress and performance data. Because Spectre and Meltdown are hardware-based vulnerabilities, they must be addressed through software workarounds. In some cases, these software patches cause machines to perform more slowly.

    Apple users do not need to worry about performance impacts. According to Apple, Meltdown had no measurable reduction in performance on devices running macOS and iOS across several benchmarks. Spectre, fixed through a Safari mitigation, had no measurable impact on most tests, but did impact performance by less than 2.5% on the JetStream benchmark. Apple says it plans to continue to refine its mitigations going further.

    In addition to remaining transparent about the performance impact of the software fixes, Krzanich says Intel will commit to disclosing security vulnerabilities and sharing hardware innovations that will, in the future, prevent such attacks.
    For those who missed the news last week, Spectre and Meltdown are serious hardware-based vulnerabilities that take advantage of the speculative execution mechanism of a CPU, potentially allowing hackers to gain access to sensitive information.

    Spectre and Meltdown impact all modern processors, including those used in Mac and iOS devices, and these two vulnerabilities will continue to be an issue for the foreseeable future as addressing them entirely requires new hardware design. Apple has prevented Spectre and Meltdown from affecting customers through software updates, but all hardware and software manufacturers will need to be wary of additional speculative execution attacks going forward.

    Apple customers should make sure to keep their Macs and iOS devices up to date with the latest software to remain protected from malicious attacks that might take advantage of the exploits.

    Article Link: Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities
     
  2. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #2
    Total PR stunt. The severity of these vulnerabilities does not warrant this kind of apology.
     
  3. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #3
    Transparency. Was the problem or the solution?
     
  4. OldSchoolMacGuy macrumors 601

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #4
    Won't hurt them in the long run. Their stock has been great and will continue to be.

    It's not as if companies really have another option. Yes AMD exists but companies aren't going to switch everything over (and AMD was vulnerable too).

    Few months from now people won't even be talking about this.
     
  5. usersince86 macrumors 6502

    usersince86

    Joined:
    Oct 24, 2002
    Location:
    Columbus, Ohio
    #5
    True security is just part of today's reality (and even more, tomorrow's reality); will always be a challenge.
     
  6. Westside guy macrumors 603

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #6
    Well that's all well and good - but did he "double down" on security? :D
     
  7. nt5672 macrumors 68000

    Joined:
    Jun 30, 2007
    #7
    Great PR speech. Trust us, we'll do better next time.

    How about telling us how this slipped through for so long and what changes are being made to make sure there we have minimal risk of other security holes like this. Do this, and we might believe you.
     
  8. Darmok N Jalad macrumors 65816

    Darmok N Jalad

    Joined:
    Sep 26, 2017
    Location:
    Tanagra
    #8
    Maybe I'm just tired, but I can't quite grasp the tense of this statement. The word "commit" shows up multiple times. When I read it, I can't tell if they are telling us that this is something they have been doing all this time, or if it's something new they are planning on doing. If the world's largest semiconductor company wasn't all-in on security policies before now, oh dear.
     
  9. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #9
    *puts on morpheus glasses* What if I told you that there are undoubtedly dozens of vulnerabilities like Spectre and Meltdown in your CPU right now? I guarantee you that there are, people just haven't discovered (or publicized) the vulnerability or how to exploit them. No amount of production-time checking will solve this issue.
    --- Post Merged, Jan 11, 2018 ---
    They are not committing to anything they weren't already doing.
     
  10. dampfnudel macrumors 68030

    Joined:
    Aug 14, 2010
    Location:
    Brooklyn, NY
    #10
    Okay, what about future processors like Ice Lake which I believe is scheduled for release next year? Should people not purchase any new Macs or Windows PCs until it’s confirmed that they’re free of this vulnerability? Will there be any compensation for customers who purchased a Mac or Windows PC with the hardware vulnerability and are now experiencing more than just a small performance degradation in their daily workflow. Just telling us about software “workarounds” that won’t impact performance “too much” isn’t good enough.
     
  11. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #11
    1) What about future processors ... - Yes. Those processors will likely have the fix. Though I wouldn't be surprised if it was two generations from now due to how intel works on their processor development lifecycle.
    2) Should people not purchase any new Macs or Windows PCs ... - NO. This vulnerability is insignificant compared to the number of other fixes that impact your performance and get patched every month. Often optimizing code in one area will make the impact in a fixed area negligible. That is definitely going to be the case here.
    3) Will there be compensation ... - Probably from a class action law suit somewhere. But I don't believe they should personally. This was not a case of negligence, this was a regular case of vulnerability discovery, research, and analysis.
     
  12. sdf macrumors regular

    sdf

    Joined:
    Jan 29, 2004
    #12
    I haven't read a truly good analysis yet, but everything I have read suggests this is understating this. This is the sort of thing that almost requires the exploit be in the wild in front of millions of eyeballs before someone catches on.

    And there's probably another one like this somewhere. These systems are COMPLICATED.
     
  13. macTW Suspended

    Joined:
    Oct 17, 2016
    #13
    You mean, they shouldn’t apologize and release updates for 90% of the processors?
     
  14. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #14
    "They" are not releasing any updates. Intel isn't patching this vulnerability, companies and organizations like Apple, Microsoft, and the Linux foundation are. All Intel did here was say 'Sorry, we'll fix it in upcoming products and keep doing what we're doing to fix the vulnerabilities that researchers find going forward.'
     
  15. otternonsense macrumors 6502a

    otternonsense

    Joined:
    Jul 25, 2016
    Location:
    Berlin
    #15
    Wow, just like Apple pledged commitment to better battery tech. -oh wait
     
  16. dampfnudel macrumors 68030

    Joined:
    Aug 14, 2010
    Location:
    Brooklyn, NY
    #16
    So Ice Lake will be affected. Well, maybe for the sake of transparency, Apple, HP, Dell and other companies should make it clear to every person who purchases one of their computers that the Intel processor has this vulnerability and what steps they’re taking to mitigate the problem. They need to have a message pop up before each online purchase is completed describing the problem/mitigation steps. At physical stores, an employee will take the time to explain it and there will be the appropriate documentation describing the issue inside the packaging. That would be the right thing to do.
     
  17. JPack macrumors 68030

    JPack

    Joined:
    Mar 27, 2017
    #17
    Where's Apple's apology for their processors? What about the millions of people who bought iPhone, iPad, and iPod who are affected by this flaw in Apple Ax processors.
     
  18. eicca macrumors 6502

    eicca

    Joined:
    Oct 23, 2014
    #18
    The stark truth is nothing in the digital realm will ever be truly safe. Ever.
     
  19. duervo, Jan 11, 2018
    Last edited: Jan 11, 2018

    duervo macrumors 68020

    duervo

    Joined:
    Feb 5, 2011
    #19
    Meaning addressing them requires entirely new hardware design? Doubtful. It’ll require a design change of some sort, but “entirely new design” is highly unlikely. I guess it depends on a person’s interpretation of “entirely new design”. I interpret it as Intel having to create a new CPU from the ground up. Considering that current CPU’s have all come about as a result of the original 8086 design from the late 70’s, I doubt they’re going to just throw that all out and start from scratch.

    Short term: Intel is likely to remove the predictive branch feature from their CPUs. This woildn’t require an entirely new design.

    Long Term: Intel will either try to come up with an alternate method of performing predictive features, or scrap the idea altogether. This could lead to significant design change, or nothing beyond the short term listed above, neither of which would be an entirely new design.
     
  20. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #20
    "Oh my sweet summer child..." - George RR Martin

    Allow me to open your eyes to see the truth. Observe this sample security advisory, dubbed INTEL-SA-00086 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

    This is simply one of 86 security advisories that Intel has released. Each CVE reported in that advisory is a different vulnerability with it's own impact on performance of a Intel-based computer. An employee of Apple / Microsoft / any OEM should not be responsible for understanding the impact of each of these vulnerabilities.
     
  21. JPack macrumors 68030

    JPack

    Joined:
    Mar 27, 2017
    #21
    Sure they are.

    Intel is patching their end through microcode updates and BIOS.
     
  22. Solomani macrumors 68040

    Solomani

    Joined:
    Sep 25, 2012
    Location:
    Alberto, Canado
    #22
    Krzanich should be having a meltdown right now, this fiasco will be a lingering spectre that will haunt Intel for years to come.
     
  23. SecuritySteve macrumors 6502

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #23
    Fair enough. But for these vulnerabilities microcode updates only go so far, as stated in many reviews. So really, yes and no.
    --- Post Merged, Jan 11, 2018 ---
    Your puns are legend.
     
  24. high heaven macrumors member

    high heaven

    Joined:
    Dec 7, 2017
    #24
    Intel needs to create a new architecture in order to solve this problem. Software updates will only delay the time from getting hack. However, servers will suffer from this issue for several years while all servers using Intel CPU will suffer from the security vulnerability. At this point, it's really risky to use Intel CPU instead of AMD Ryzen. Do intel have technology and people to create a new architecture? NO. Intel had been modifying an old architecture since 1995 and never developed the new architecture to work with. It is a matter of time that Apple to switch CPU from Intel to AMD. Once again, using Intel CPU will still have security issues unless they make a new architecture. Switching CPU within Intel is meaningless since all Intel CPU after 1995 are included from this vulnerability.
     
  25. dampfnudel macrumors 68030

    Joined:
    Aug 14, 2010
    Location:
    Brooklyn, NY
    #25
    What’s the harm in letting the customer know before they hand over their money? Would you prefer the customer be in the dark and maybe if they get lucky or know the right person, then they’ll find out?
     

Share This Page