The Daily Swig Web security digest

Intel to issue Meltdown, Spectre patches within a week

James Walker | 10 January 2018 at 15:20

CEO Brian Krzanich admits that performance will be affected.

By the end of this month, Intel expects to roll out patches to the Meltdown and Spectre vulnerabilities for all of its processors that have been introduced in the last five years, the company’s CEO has confirmed. The majority of these chips are expected to be patched within a week.

Taking the stage at CES 2018, which kicked off in Las Vegas yesterday, Intel CEO Brian Krzanich addressed the recent revelations that an architecture-level flaw in its CPUs – along with those produced by rivals AMD and Arm – could enable attackers to covertly glean privileged information from system memory.

Discovered almost simultaneously by numerous independent security researchers around the world, the Meltdown and Spectre exploits take advantage of flaws related to ‘speculative execution’ – a feature on modern CPUs that helps boost performance by carrying out tasks ahead of time.

According to the researchers, a security loophole could allow unprivileged applications to not only monitor these tasks, which are held in the processor’s cache, but ultimately gain access to full system memory, potentially compromising passwords, encrypted communications, and financial information.

“For our processors and products introduced in the last five years, Intel expects to issue updates for more than 90% of them within a week, and the remaining by the end of January,” Krzanich said yesterday.

Due to the fact that the vulnerability cannot be mitigated with a microcode update, OS vendors were left with the unenviable task of devising and pushing through patches that establish a workaround, dubbed kernel page-table isolation (KPTI).

Speculation has been mounting with regard to the mooted drop in CPU performance following the patches, which split kernel and user spaces to prevent information leak. And while Krzanich did not go into specifics, his keynote came with the admission that Intel processor speeds will indeed be affected.

“We believe the performance impact of these updates is highly workload dependent, and as a result we expect some workloads may have a larger impact than others, so we will continue working with the industry to minimize the impact on those workloads, over time.”

All major OS vendors and cloud computing firms have now issued their own patches to the vulnerabilities in Intel, Arm, and AMD chips (although Microsoft has pulled its fix for some older AMD chipsets following reports of PCs not booting) – and their efforts were not lost on the Intel CEO.

“I want to take a moment to thank the industry for coming together… to address the recent security research findings,” Krzanich said. “The collaboration amongst so many companies to address this industry-wide issue across several different processor architectures has been truly remarkable.”

You can watch Krzanich’s full CES 2018 keynote speech here.