Late last night, a bombshell report from The Register detailed a worrisome new vulnerability said to impact all Intel chips released over the past decade. The report explained how the vulnerability might potentially enable malicious actors to access sensitive data — such as passwords — stored in protected memory. Though Microsoft and Apple were reportedly already working on a fix, the initial report relayed that updated machines might run as much as 30% slower after the fact.
Now that a bit more time has passed, we’ve since learned that the vulnerability in question not only impacts Intel processors, but AMD and ARM processors as well. So while this is still an incredibly serious issue, it’s not a problem that uniquely puts Intel alone into crisis mode. All that said, Intel has since come out with an official statement on the matter where, among other things, it notes that patched machines will not, as initially reported, necessarily run 30% slower.
Intel’s statement, which can be read below, also makes a point of noting that any exploits based on the newly discovered vulnerability will not be able to modify or delete any sensitive data.
Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
AMD, meanwhile, issued a press release of its own noting that its own chips are, in fact, also impacted by the exploit. Still, AMD makes a point of stating that its chips are practically at “zero risk” for being exploited. The company’s full statement (via Barron’s) can be read below:
There is a lot of speculation today regarding a potential security issue related to modern microprocessors and speculative execution. As we typically do when a potential security issue is identified, AMD has been working across our ecosystem to evaluate and respond to the speculative execution attack identified by a security research team to ensure our users are protected.
To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.
As a final point, it’s worth noting that Apple already patched things up when it released macOS 10.13.2 last month.