Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,164
9,690



Intel CEO Brian Krzanich today wrote an open letter to Intel customers following the "Meltdown" and "Spectre" hardware-based vulnerabilities that impact its processors.

In the letter, Krzanich says that by January 15, updates will have been issued for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder coming at the end of January.

For Apple customers, macOS and iOS devices have been patched with protection against Spectre and Meltdown. Meltdown was addressed in macOS High Sierra 10.13.2 and iOS 11.2, while Spectre mitigations were introduced in a macOS 10.13.2 supplemental update and iOS 11.2.2, both of which were released this week. The vulnerabilities have also been addressed in older versions of macOS and OS X.

According to Krzanich, going forward, Intel promises to offer timely and transparent communications, with details on patch progress and performance data. Because Spectre and Meltdown are hardware-based vulnerabilities, they must be addressed through software workarounds. In some cases, these software patches cause machines to perform more slowly.

Apple users do not need to worry about performance impacts. According to Apple, Meltdown had no measurable reduction in performance on devices running macOS and iOS across several benchmarks. Spectre, fixed through a Safari mitigation, had no measurable impact on most tests, but did impact performance by less than 2.5% on the JetStream benchmark. Apple says it plans to continue to refine its mitigations going further.

In addition to remaining transparent about the performance impact of the software fixes, Krzanich says Intel will commit to disclosing security vulnerabilities and sharing hardware innovations that will, in the future, prevent such attacks.
Our customers' security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
For those who missed the news last week, Spectre and Meltdown are serious hardware-based vulnerabilities that take advantage of the speculative execution mechanism of a CPU, potentially allowing hackers to gain access to sensitive information.

Spectre and Meltdown impact all modern processors, including those used in Mac and iOS devices, and these two vulnerabilities will continue to be an issue for the foreseeable future as addressing them entirely requires new hardware design. Apple has prevented Spectre and Meltdown from affecting customers through software updates, but all hardware and software manufacturers will need to be wary of additional speculative execution attacks going forward.

Apple customers should make sure to keep their Macs and iOS devices up to date with the latest software to remain protected from malicious attacks that might take advantage of the exploits.

Article Link: Intel CEO Pledges Commitment to Security Following Meltdown and Spectre Vulnerabilities
 

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,050
Won't hurt them in the long run. Their stock has been great and will continue to be.

It's not as if companies really have another option. Yes AMD exists but companies aren't going to switch everything over (and AMD was vulnerable too).

Few months from now people won't even be talking about this.
 
Comment

nt5672

macrumors 68000
Jun 30, 2007
1,984
4,229
Great PR speech. Trust us, we'll do better next time.

How about telling us how this slipped through for so long and what changes are being made to make sure there we have minimal risk of other security holes like this. Do this, and we might believe you.
 
Comment

Darmok N Jalad

macrumors 68020
Sep 26, 2017
2,399
8,911
Tanagra (not really)
Maybe I'm just tired, but I can't quite grasp the tense of this statement. The word "commit" shows up multiple times. When I read it, I can't tell if they are telling us that this is something they have been doing all this time, or if it's something new they are planning on doing. If the world's largest semiconductor company wasn't all-in on security policies before now, oh dear.
 
  • Like
Reactions: -BigMac-
Comment

SecuritySteve

macrumors 6502a
Jul 6, 2017
832
971
California
Great PR speech. Trust us, we'll do better next time.

How about telling us how this slipped through for so long and what changes are being made to make sure there we have minimal risk of other security holes like this. Do this, and we might believe you.
*puts on morpheus glasses* What if I told you that there are undoubtedly dozens of vulnerabilities like Spectre and Meltdown in your CPU right now? I guarantee you that there are, people just haven't discovered (or publicized) the vulnerability or how to exploit them. No amount of production-time checking will solve this issue.
[doublepost=1515715337][/doublepost]
Maybe I'm just tired, but I can't quite grasp the tense of this statement. The word "commit" shows up multiple times. When I read it, I can't tell if they are telling us that this is something they have been doing all this time, or if it's something new they are planning on doing. If the world's largest semiconductor company wasn't all-in on security policies before now, oh dear.
They are not committing to anything they weren't already doing.
 
  • Like
Reactions: ex0dus1985 and IG88
Comment

dampfnudel

macrumors 68040
Aug 14, 2010
3,180
1,418
Brooklyn, NY
Okay, what about future processors like Ice Lake which I believe is scheduled for release next year? Should people not purchase any new Macs or Windows PCs until it’s confirmed that they’re free of this vulnerability? Will there be any compensation for customers who purchased a Mac or Windows PC with the hardware vulnerability and are now experiencing more than just a small performance degradation in their daily workflow. Just telling us about software “workarounds” that won’t impact performance “too much” isn’t good enough.
 
Comment

SecuritySteve

macrumors 6502a
Jul 6, 2017
832
971
California
Okay, what about future processors like Ice Lake which I believe is scheduled for release next year? Should people not purchase any new Macs or Windows PCs until it’s confirmed that they’re free of this vulnerability? Will there be any compensation for customers who purchased a Mac or Windows PC with the hardware vulnerability. Just telling us about software “workarounds” that won’t impact performance “too much” isn’t good enough.
1) What about future processors ... - Yes. Those processors will likely have the fix. Though I wouldn't be surprised if it was two generations from now due to how intel works on their processor development lifecycle.
2) Should people not purchase any new Macs or Windows PCs ... - NO. This vulnerability is insignificant compared to the number of other fixes that impact your performance and get patched every month. Often optimizing code in one area will make the impact in a fixed area negligible. That is definitely going to be the case here.
3) Will there be compensation ... - Probably from a class action law suit somewhere. But I don't believe they should personally. This was not a case of negligence, this was a regular case of vulnerability discovery, research, and analysis.
 
Comment

sdf

macrumors 6502
Jan 29, 2004
309
245
This was not a case of negligence, this was a regular case of vulnerability discovery, research, and analysis.
I haven't read a truly good analysis yet, but everything I have read suggests this is understating this. This is the sort of thing that almost requires the exploit be in the wild in front of millions of eyeballs before someone catches on.

And there's probably another one like this somewhere. These systems are COMPLICATED.
 
Comment

SecuritySteve

macrumors 6502a
Jul 6, 2017
832
971
California
You mean, they shouldn’t apologize and release updates for 90% of the processors?
"They" are not releasing any updates. Intel isn't patching this vulnerability, companies and organizations like Apple, Microsoft, and the Linux foundation are. All Intel did here was say 'Sorry, we'll fix it in upcoming products and keep doing what we're doing to fix the vulnerabilities that researchers find going forward.'
 
Comment

dampfnudel

macrumors 68040
Aug 14, 2010
3,180
1,418
Brooklyn, NY
1) What about future processors ... - Yes. Those processors will likely have the fix. Though I wouldn't be surprised if it was two generations from now due to how intel works on their processor development lifecycle.
2) Should people not purchase any new Macs or Windows PCs ... - NO. This vulnerability is insignificant compared to the number of other fixes that impact your performance and get patched every month. Often optimizing code in one area will make the impact in a fixed area negligible. That is definitely going to be the case here.
3) Will there be compensation ... - Probably from a class action law suit somewhere. But I don't believe they should personally. This was not a case of negligence, this was a regular case of vulnerability discovery, research, and analysis.
So Ice Lake will be affected. Well, maybe for the sake of transparency, Apple, HP, Dell and other companies should make it clear to every person who purchases one of their computers that the Intel processor has this vulnerability and what steps they’re taking to mitigate the problem. They need to have a message pop up before each online purchase is completed describing the problem/mitigation steps. At physical stores, an employee will take the time to explain it and there will be the appropriate documentation describing the issue inside the packaging. That would be the right thing to do.
 
  • Like
Reactions: Val-kyrie
Comment

JPack

macrumors 603
Mar 27, 2017
5,443
8,188
Where's Apple's apology for their processors? What about the millions of people who bought iPhone, iPad, and iPod who are affected by this flaw in Apple Ax processors.
 
  • Like
Reactions: Val-kyrie
Comment

duervo

macrumors 68020
Feb 5, 2011
2,317
1,042


...

Spectre and Meltdown impact all modern processors, including those used in Mac and iOS devices, and these two vulnerabilities will continue to be an issue for the foreseeable future as addressing them entirely requires new hardware design.

...
Meaning addressing them requires entirely new hardware design? Doubtful. It’ll require a design change of some sort, but “entirely new design” is highly unlikely. I guess it depends on a person’s interpretation of “entirely new design”. I interpret it as Intel having to create a new CPU from the ground up. Considering that current CPU’s have all come about as a result of the original 8086 design from the late 70’s, I doubt they’re going to just throw that all out and start from scratch.

Short term: Intel is likely to remove the predictive branch feature from their CPUs. This woildn’t require an entirely new design.

Long Term: Intel will either try to come up with an alternate method of performing predictive features, or scrap the idea altogether. This could lead to significant design change, or nothing beyond the short term listed above, neither of which would be an entirely new design.
 
Last edited:
Comment

SecuritySteve

macrumors 6502a
Jul 6, 2017
832
971
California
So Ice Lake will be affected. Well, maybe for the sake of transparency, Apple, HP, Dell and other companies should make it clear to every person who purchases one of their computers that the Intel processor has this vulnerability and what steps they’re taking to mitigate the problem. They need to have a message pop up before each online purchase is completed describing the problem/mitigation steps. Same story at physical stores where an employee will take the time to explain it and there will be the appropriate documentation describing the issue inside the packaging. That would be the right thing to do.
"Oh my sweet summer child..." - George RR Martin

Allow me to open your eyes to see the truth. Observe this sample security advisory, dubbed INTEL-SA-00086 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

This is simply one of 86 security advisories that Intel has released. Each CVE reported in that advisory is a different vulnerability with it's own impact on performance of a Intel-based computer. An employee of Apple / Microsoft / any OEM should not be responsible for understanding the impact of each of these vulnerabilities.
 
Comment

JPack

macrumors 603
Mar 27, 2017
5,443
8,188
"They" are not releasing any updates. Intel isn't patching this vulnerability, companies and organizations like Apple, Microsoft, and the Linux foundation are. All Intel did here was say 'Sorry, we'll fix it in upcoming products and keep doing what we're doing to fix the vulnerabilities that researchers find going forward.'
Sure they are.

Intel is patching their end through microcode updates and BIOS.
 
  • Like
Reactions: thebeans
Comment

SecuritySteve

macrumors 6502a
Jul 6, 2017
832
971
California
Sure they are.

Intel is patching their end through microcode updates and BIOS.
Fair enough. But for these vulnerabilities microcode updates only go so far, as stated in many reviews. So really, yes and no.
[doublepost=1515717106][/doublepost]
Krzanich should be having a meltdown right now, this fiasco will be a lingering spectre that will haunt Intel for years to come.
Your puns are legend.
 
Comment

high heaven

macrumors 6502
Dec 7, 2017
415
130
Intel needs to create a new architecture in order to solve this problem. Software updates will only delay the time from getting hack. However, servers will suffer from this issue for several years while all servers using Intel CPU will suffer from the security vulnerability. At this point, it's really risky to use Intel CPU instead of AMD Ryzen. Do intel have technology and people to create a new architecture? NO. Intel had been modifying an old architecture since 1995 and never developed the new architecture to work with. It is a matter of time that Apple to switch CPU from Intel to AMD. Once again, using Intel CPU will still have security issues unless they make a new architecture. Switching CPU within Intel is meaningless since all Intel CPU after 1995 are included from this vulnerability.
 
  • Like
Reactions: Val-kyrie
Comment

dampfnudel

macrumors 68040
Aug 14, 2010
3,180
1,418
Brooklyn, NY
"Oh my sweet summer child..." - George RR Martin

Allow me to open your eyes to see the truth. Observe this sample security advisory, dubbed INTEL-SA-00086 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

This is simply one of 86 security advisories that Intel has released. Each CVE reported in that advisory is a different vulnerability with it's own impact on performance of a Intel-based computer. An employee of Apple / Microsoft / any OEM should not be responsible for understanding the impact of each of these vulnerabilities.
What’s the harm in letting the customer know before they hand over their money? Would you prefer the customer be in the dark and maybe if they get lucky or know the right person, then they’ll find out?
 
  • Like
Reactions: Val-kyrie
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.