Computer chip 'flaw' sparks security debate amid scramble for fix

January 4, 2018

A newly discovered vulnerability in computer chips raised concerns Wednesday that hackers could access sensitive data on most modern systems, as technology firms sought to play down the security risks.

Chip giant Intel issued a statement responding to a flurry of warnings surfacing after researchers discovered the security hole which could allow privately stored data in computers and networks to be leaked.

Intel labeled as incorrect reports describing a "bug" or "flaw" unique to its products.

Intel chief executive Brian Krzanich told CNBC that "basically all modern processers across all applications" use this process known as "access memory," which was discovered by researchers at Google and kept confidential as companies work on remedies.

Google, meanwhile, released findings from its security researchers who sparked the concerns, saying it made the results public days ahead of schedule because much of the information had been in the media.

The security team found "serious security flaws" in devices powered by Intel, AMD and ARM chips and the operating systems running them and noted that, if exploited, "an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications."

"As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google's systems and our users' data," Google said in a security blog.

"We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web."

Spectre and Meltdown

The Google team said the vulnerabilities, labeled "Spectre" and "Meltdown," affected a number of chips from Intel as well as some from AMD and ARM, which specializes in processors for mobile devices.

Intel said it was working with AMD and ARM Holdings and with the makers of computer operating software "to develop an industry-wide approach to resolve this issue promptly and constructively."

Jack Gold, an independent technology analyst, said he was briefed in a conference call with Intel, AMD and ARM on the issue and that the three companies suggested concerns were overblown.

"All the chips are designed that way," Gold said.

The companies were working on remedies after "some researchers found a way to use existing architecture and get into protected areas of computer memory and read some of the data," he added.

Microsoft said in a statement it had no information suggesting any compromised data but was "releasing security updates today to protect Windows customers against vulnerabilities."

But an AMD spokesman said that because of the differences in AMD processor architecture, "we believe there is near zero risk to AMD products at this time."

ARM meanwhile said it was "working together with Intel and AMD" to address potential issues "in certain high-end processors, including some of our Cortex-A processors."

"We have informed our silicon partners and are encouraging them to implement the software mitigations developed if their chips are impacted," the SoftBank-owned firm said.

Slowdown?

Earlier this week, some researchers said any fix—which would need to be handled by software—could slow down computer systems, possibly by 30 percent or more.

Intel's statement said these concerns, too, were exaggerated.

"Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," the company statement said.

Tatu Ylonen, security researcher at SSH Communications Security, said the patches "will be effective" but it will be critical to get all networks and cloud services upgraded, Ylonen said.

British security researcher Graham Cluley also expressed concern "that attackers could exploit the flaw on vulnerable systems to gain access to parts of the computer's memory which may be storing sensitive information. Think passwords, private keys, credit card data."

But he said in a blog post that it was "good news" that the problem had been kept under wraps to allow operating systems such as those from Microsoft and Apple to make security updates before the flaw is maliciously exploited.

Explore further: Intel says it's fixing security vulnerability in its chips

Related Stories

Intel Boosts Mobile Celeron Performance

August 31, 2004

Intel Corporation today introduced the Intel® Celeron® M processors 350 and 360 for mobile PCs. Based on Intel's mobile architecture, the Intel Celeron M processor balances good mobile performance with exceptional value ...

Intel CEO gets $18.9M pay package in final year

April 3, 2013

The value of Intel CEO Paul Otellini's pay package rose 10 percent to $18.9 million last year as he prepared to retire. His departure next month follows a tough year during which Intel Corp. stumbled as the growing popularity ...

Intel buys password manager PasswordBox

December 1, 2014

Intel Corp. said Monday that it bought PasswordBox, a service that saves and remembers passwords so that users can log into different websites without having to remember or type in their passwords.

Intel faced hacker attack same time as Google

February 23, 2010

(AP) -- Intel Corp. has revealed that it was targeted by a "sophisticated" hacker attack this year at about the same time as a spying probe that hit Google Inc.

Recommended for you

Pushing lithium ion batteries to the next performance level

December 13, 2018

Conventional lithium ion batteries, such as those widely used in smartphones and notebooks, have reached performance limits. Materials chemist Freddy Kleitz from the Faculty of Chemistry of the University of Vienna and international ...

Uber filed paperwork for IPO: report

December 8, 2018

Ride-share company Uber quietly filed paperwork this week for its initial public offering, the Wall Street Journal reported late Friday.

2 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

carbon_unit
not rated yet Jan 04, 2018
From the released findings link https://security....eed.html
The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.
So much for thinking that VMs can pretty much contain the damage of being compromised. Seems like this is an important part of the story that should have made it into the article.
Porgie
not rated yet Jan 05, 2018
There are also patches for the flaw so this is not the great Armageddon of the chip world. As a matter of fact My patch came down last night in an update. Sure its a flaw but now its been discovered and will be fixed. Ho Hum...

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.