Intel says memory security issue extends beyond its own chips (updated)

It claims the reports overstate the effect for users.

Updated ·4 min read

That major security flaw attributed to Intel chips might not be so Intel-specific after all. After hours of silence, Intel has posted a response denying some of the claims about the exploit, which is believed to revolve around identifying content in an operating system kernel's protected memory space. The chip giant shot down reports that the issue was unique to its CPUs, noting that it's working with AMD and ARM (not to mention multiple OS makers) to create a solution -- sorry, you're not safe because you have a Ryzen rig. It also reminded people that the performance hit of the fix would be "workload-dependent," and shouldn't be noticeable for the "average computer user."

The company also asserts that this isn't a flaw, but rather "software analysis methods" that could potentially grab sensitive info from computing devices. It doesn't appear to have the ability to corrupt, delete or modify data, Intel added, although that wouldn't be much comfort if someone took sensitive material. There have been "no instances" of people abusing the vulnerability, Intel chief Brian Krzanich told CNBC.

True to rumors, Intel and other firms had planned to reveal the issue "next week," or just in time for firmware and software updates that would address the problem. It only piped up sooner because it wanted to address reports.

It's not shocking that Intel would try to get ahead of the issue in this way. If this really had been an Intel-specific issue, it would have been a serious blow to a company trying to fend off rising competition from AMD and Qualcomm. At the same time, it's far from reassuring to hear that potential attacks can affect even more systems than first thought, and that few people if any would completely avoid a slowdown (however slight). Like it or not, the device you're using right now is almost certainly affected by this, and certain users (particularly server operators) are bound to notice it.

Update: AMD isn't having Intel's claims that the issue is hardware-independent. In its own statement, it asserted that architecture differences meant that there was "near zero risk" to AMD-made processors. That lines up with the initial report, which referenced communication from AMD suggesting that its processors weren't vulnerable. There's clearly a he-said-she-said dispute going on, and it may be a while before we get the full story. You can read the full statement below.

"Hi - There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected.

"To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time."

Update 2: The embargo on the vulnerabilities has expired early, and we now have a clearer idea of what they are. Meltdown is the one at the heart of the issue, and uses speculative execution to break the "fundamental isolation" between apps and the OS in a bid to swipe data. Spectre, meanwhile, uses a similar approach to break walls between otherwise secure apps. In fact, the safety checks of some of those apps actually make them more vulnerable. It's more difficult to exploit Spectre, but it's also more difficult to stop.

Google and Microsoft have already outlined what they're doing. Google says Android phones with the latest security update are safe, as are Google Apps, Google App Engine and smart phone devices like Google Home, Chromecast and Google WiFi. You'll want to invoke a Site Isolation feature on Chrome or Chrome OS, however. Microsoft, meanwhile, has issued a rare off-schedule Windows security update to address the problem.