Intel CEO Brian Krzanich used the opening of his Consumer Electronics Show keynote in Las Vegas on Jan. 8 to publicly comment on the recently disclosed Meltdown and Spectre security vulnerabilities that impact the majority of the world’s CPUs.
Jan. 9 was originally intended to be the day that the Meltdown and Spectre CPU flaws were to be publicly disclosed, but media speculation led to a Jan. 3 disclosure of the critical flaws.
“The collaboration among so many companies to address this industrywide issue across several different processor architectures has been truly remarkable,” Krzanich said during his keynote. “Security is job No. 1 for Intel and our industry, so the primary focus of our decisions and our discussions have been to keep our customers’ data safe.”
The Meltdown vulnerability largely impacts Intel CPUs, while the Spectre flaw has broad impact across multiple types of vendor CPUs, including Advanced Micro Devices and ARM. The flaws could potentially enable an attacker to read items from a system’s memory, which could lead to private information disclosure.
“As of now, we have not received any information that these exploits have been used to obtain customer data, and we are working tirelessly on these issues to ensure it stays that way,” Krzanich said. “The best thing you can do to make sure your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available.”
Intel has been busy over the past week making firmware updates available, and Krzanich said more than 90 percent of Intel processors will have an update available by the end of the week, with the remainder by the end of January.
In addition to Intel firmware updates, the Meltdown and Spectre flaws also generally require operating system updates. Microsoft publicly released its patches on Jan. 3, though the patches have reportedly been causing trouble for some PC owners with AMD processors.
The CPU flaws also impact Apple’s operating systems, and the company had quietly provided some mitigation for Meltdown in its macOS High Sierra 10.13.1 and iOS 11.0.1 updates, but had not addressed the Spectre issue. On Jan. 8, Apple released the macOS High Sierra 10.13.2, Safari 11.0.2 and iOS 11.0.2 updates to address the Spectre vulnerabilities, formally identified as CVE-2017-5753 and CVE-2017-5715.
With Spectre, there was a risk that an attacker could read system memory via a web browser. As such, Apple has now integrated changes into the WebKit rendering engine used in macOS and iOS to help mitigate the Spectre risk.
While operating system vendors are rolling out updates to provide risk mitigation, security vendors have been busy building different detection mechanisms to identify possible Meltdown or Spectre attacks.
Among the vendors that have released Meltdown and Spectre detection software is container security vendor Capsule 8. On Jan. 9, the security startup released an open-source Spectre detector that is able to help detect cache side channel attacks.
“A common element to all of the published attacks for all three vulnerability variants of these attacks so far has been the use of cache timing attacks to leak the read speculatively read data to the attacker,” Capsule 8 stated in a blog post.
One of the side effects of the Meltdown and Spectre patches is that the mitigations provided by Intel and operating system vendors can slow system performance by as much as 30 percent. Among the organizations that have publicly complained about the Meltdown patches impacting performance is Epic Games, which blamed a slowdown of its online gaming platform on the patches. Intel, however, is downplaying the performance issues related to the patches.
“We believe the performance impact of these updates is highly workload-dependent,” Krzanich said during his CES keynotes. “As a result, we expect some workloads may have a larger impact than others, so we will continue working with the industry to minimize the impact on those workloads over time.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.