Intel responds to security research bug, says no cause for concern

Late last night, we reported on news that Intel processors have a serious bug that could allow malicious applications to read the contents of protected memory. Today, Intel has officially commented on the situation, but the response is carefully crafted and doesn't provide any significant details of what's going on. Two main points Intel appears to make in its statement are that this isn't a bug—the processors are apparently working as intended—and that there should be no significant performance impact for the 'average computer user.' Let's analyze things a bit more, though.

First, let's start with the claim that this is not a bug and that things are working as intended. What Intel actually states is, "recent reports that these exploits are caused by a 'bug' or a 'flaw' and are unique to Intel products are incorrect." Taken as a whole, that doesn't mean much. It could still be a bug or a flaw, but it's not unique to Intel; or it could be that this isn't a bug at all but is simply a new attack vector that wasn't previously considered. Either way, it doesn't mean there aren't potential exploits, but that Intel isn't alone. More critically, the vulnerability may have existed for a decade or more and may impact many other chips.

The second claim is a bit more interesting. Saying that the average computer user should not be affected isn't really surprising, based on what we've heard. The exploit appears to involve running user code that attempts to read privileged kernel memory. In a virtualized computing environment, this could be disastrous—imagine being able to run code on an AWS or Azure instance and find out what other VMs are doing, potentially even uncovering passwords or other sensitive data. But your 'average computer user' almost certainly isn't going to be running a hypervisor.

Intel does say that the performance impact from any patch will be workload-dependent, which again doesn't tell us much. Virtual machine environments can be extremely complex, and seemingly small changes to a system configuration can have a large impact on performance. So it's not that this vulnerability and its fix won't impact performance for all cases, but that it's unlikely to affect typical desktop and laptop workloads—which includes games.

Intel will reveal additional details later this week, but the initial reason for the delay is that Intel and others are already working to implement software and firmware fixes to these new exploits—which appear to come from security researchers and have not yet been found in the wild. This is the proper way to do things, because once the fixes are announced, unpatched software/hardware may become vulnerable and real-world exploits could appear. But recent updates to the Linux kernel indicated something was up, and the news wire has been alive with speculation, so Intel felt it was appropriate to make at least a limited comment.

A full statement of disclosure was already planned for next week, after the patches and fixes/workarounds are available, and that will presumably still take place. At that point, we'll hopefully have a better idea of what exactly is going on and how large the impact will be on performance. Indications are that servers and virtual machine environments will be the hardest hit, and Intel may not be the only CPU vendor impacted. So far, benchmarks run using the pre-patch and post-patch versions of Linux show negligible changes in normal workloads, but no one has undertaken any serious virtualization workload benchmarks.

So far, AMD claims its processors are not affected, but we'll know more in the coming weeks. ARM products may also be affected, though I suspect much like Intel, if that happens it generally won't impact your typical smartphone user.

Update: the site has whitepapers on the two attack vectors, named Meltdown and Spectre. While Meltdown appears to affect only Intel CPUs (going back at least to 2011, and possibly much further), Spectre has been verified on CPUs from AMD, ARM, and Intel.