Intel appears to have encountered some daylight in its struggle to fix performance issues related to the Meltdown and Spectre vulnerabilities.
The company has identified the root cause on its older Broadwell and Haswell platforms, Navin Shenoy, general manager of Intel’s data center group, wrote in an online post earlier this week.
Intel has begun rolling out a solution to its industry partners for testing, Shenoy said, but the company urged OEMs, cloud providers, software vendors, end users and others to stop deployment of existing versions, warning that they are vulnerable to higher-than-normal reboots and other unpredictable behavior.
“I apologize for any disruption this change in guidance may cause,” Shenoy wrote. “The security of our products is critical for Intel, our customers and partners, and for me, personally.”
The company has been working around the clock to resolve the issues, he added.
Intel has been under fire for its initial response to the Meltdown and Spectre vulnerabilities, which were disclosed earlier this month. Researchers at Google’s Project Zero originally discovered the vulnerability in mid 2016; however, they shared their information with Intel and various industry partners under confidentiality agreements that allowed researchers to work toward a coordinated fix.
The Meltdown and Spectre vulnerabilities could allow non-privileged users to gain access to passwords or secret keys on a computer system.
Intel has issued firmware updates for 90 percent of its CPUs from the past five years, Shenoy said in a post last week. However, the security updates led to more frequent reboot issues for customers.
The Ivy Bridge, Sandy Bridge, Sky Lake and Kaby Lake platforms have shown similar behavior, he noted.
The company’s latest progress offers new hope.
“Having identified a root cause, we’re now able to work on developing a solution to address it,” said Intel spokesperson Danya Al-Qattan.
When asked how many customers were impacted, she told TechNewsWorld the company does not publicly disclose communications with its customers.
Intel is not the only chip manufacturer that is impacted by the exploit. Intel has been working with other manufacturers, including AMD, ARM and Qualcomm, to find an industry-wide solution.
Intel’s announcement is a sign that the company expects to be able to resolve the crisis, said Kevin Krewell, principal analyst at Tirias Research.
“Intel believes they have identified the reboot cause in the microcode patch,” he told TechNewsWorld. “It has been observed in the Broadwell and Haswell processors — but fundamentally, the bug with the original patch could also affect other Intel generations.”
More testing by Intel, by operating system vendors, and by IT professionals will have to take place before “we’re completely out of the woods,” Krewell said.
While the development is good news, there remains a question as to whether customers will trust that Intel is able to resolve the vulnerability fully without impacting performance, said Mark Nunnikhoven, vice president of cloud research at Trend Micro.
“The challenge here is that teams have already deployed multiple sets of patches related to this issue to varying degrees of success,” he told TechNewsWorld. “It would be natural for some teams to hesitate to deploy this patch until they are sure that it correctly addresses the issue.”
While there have been multiple proof-of-concept attacks, so far there have been no reports of an actual exploit for Spectre and Meltdown used in the wild. This makes the calculation on whether further patching is warranted more difficult, Nunnikhoven noted.
“Vendors need to keep testing these patches and verifying that they correctly address the issues,” he said. “Users need to evaluate the risk of a patch going wrong against the impact of a possible attack.”
The microcode updates modify the functions of the CPU, and they need to be tested thoroughly before being deployed on any production systems, said Francisco Donoso, lead MSS architect at Kudelski Security.
“Unfortunately, it appears that organizations — including hardware manufacturers — have rushed to deploy updates in order to mitigate these vulnerabilities quickly,” he told TechNewsWorld, noting that Intel and its partners had six months to coordinate with its partners, operating system developers, manufacturers and browser developers.
Intel has not provided enough technical details about the issue or about its plans to resolve it, Donoso maintained.
“While these topics are fairly complex and difficult to grasp,” he acknowledged, “the lack of transparency from Intel makes it difficult for technology professionals to truly assess the potential issues these new updates may cause.”