CPU Makers Confirm New Security Flaws, So Update Now

Intel is finally confirming that its computer processors are vulnerable to an additional variant of Spectre, the nasty security vulnerability that affects nearly every CPU currently in devices and in the marketplace.

German computing magazine C't first reported the additional flaws, which can be exploited in a browser setting using a runtime (think Javascript), on May 3. When we reached out to CPU makers, including Intel and AMD, at that time they declined to comment. Instead they made loose allusions to an embargo - which is when companies (as well as security researchers and often journalists) withhold information until an agreed upon time.

But that didn't stop Germany from taking the newly reported threats seriously. Last week, the country's Federal Office for Information Security (BSI) asked that the makers of the affected CPUs fix the flaws as soon as possible and issued a warning to consumers in defiance of the embargo.

Gizmodo was not privy to this embargo or the details within it. However, now Intel is confirming C't's report. In a blog post Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, confirmed that additional vulnerabilities did exist.

The vulnerabilities appear to be of the Spectre variety, which takes advantage of speculative computing - a computing practice used by almost all modern microprocessors. Called Variant 4, this new exploit can be used in a browser. Thankfully all major browser makers, including Chrome and Firefox should be patched for the vulnerability. So make sure you're browser is up to date and stays up to date.

A patch for the vulnerability is expected to be released by most major computer makers in the coming weeks and a beta of the patch has already been released to those manufacturers.

As for how much the patch will slow down your computer, in testing Intel has "observed a performance impact of approximately 2 to 8 per cent." That should be negligible to most people, but it definitely adds up when you consider the previous patches, which also reportedly slowed computers down incrementally.

What this ultimately confirms is that CPU makers need to learn a new way to perform speculative processing or these vulnerabilities will continue to occur; CPU makers will continue to brag about the speeds of their CPUs, and then they will continue to be forced to patch, and essentially throttle, those CPUs after release. If you're in CPU academia or the security research field, this is an exciting time. If you're an engineer at Intel, it's considerably less so.

Besides Intel, AMD and ARM have also confirmed they are subject to the vulnerability, which means the same good security practice rules apply to people with AMD-powered computers or ARM-based phones (both Qualcomm and Apple mobile processors are based on ARM). Keep everything updated, even if it feels like a chore.

[Intel, AMD, ARM]


Comments

    So Update Now

    A patch is expected to be in the coming weeks

    Looks like I'm patching my machines tonight.

    I'm overdue on my own calendar so this is basically a good reason to do so now.

    Oh who fucking cares. It is now normal practise that chip makers and their clients issue software updates that slow down your device’s performance, “coz’ oh no sekurty!!1”.

    Yet another reason to plug my N64 back in. This decade is just the worst.

      This decade is just the worst.
      That's an A+ overreaction there.

        WE'RE ALL GOING TO DIE. THE MEN WITH THE SIGN WERE RIGHT! THEY WERE RIIIIGHTT

    guess i should plug my 486 back in and go back to Lemmings / Dune II

    ASUS didn’t issue a BIOS update for my laptop for 2016 so I guess they won’t do it now either.

Join the discussion!

Trending Stories Right Now