How Intel Has Responded to Spectre and Meltdown
In a newly published editorial and video, Intel details what specific actions it has taken in the wake of the discovery of the CPU vulnerabilities.
January 4, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blta5e8f0be1c2dbf40/64f0d51e878bc915e2a82316/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
In January of 2018, the world was introduced to two game-changing CPU vulnerabilities, Spectre and Meltdown, that brought "speculative execution side-channel vulnerability" into the enterprise IT security lexicon. Since then, a number of variants of the initial vulnerabilities have been found, along with new vulnerabilities taking advantage of similar functions within the CPUs.
Early on, chip manufacturers and software publishers rushed to release mitigation code, some of which had significant unintended consequences, including multiple system reboots and dramatic application slowdown. Since those early days after the vulns were disclosed, the response has become more measured. But many customers are still wary of any response — especially since many of the updates are either mandatory within an operating system's update stream or baked into new releases of hardware and software.
Intel kicked off 2019 with a Jan. 2 editorial laying out its response to the Spectre and Meltdown vulnerabilities over the past year. The chip giant says the culture of the company has changed since the advent of Spectre and Meltdown, and its response has been effective. But vulnerabilities in the core of a CPU tend not to lend themselves too rapid, complete fixes, Intel says.
Here's a look at Intel's retrospective on Spectre and Meltdown as well as commentary from industry experts. While questions remain about whether most users should place these vulnerabilities high on their list of concerns, there is no question that the vulnerabilities - and the response to the vulnerabilities - have had an impact on every organization and individual purchasing a computer in 2018 and beyond.
Have Spectre and Meltdown figured into your security planning? Let us know in the comment section below.
(Image: Meltdownattack.com)
Updating hundreds of millions of systems is the sort of problem that manufacturers hate. It's an especially large problem when the update requires the sort of process traditionally required to update microcode on a CPU. Intel's Culbertson said that the company has worked to solve the problem. "In June 2018, we made our MCUs [microcode updates] OS-loadable, making the update for Spectre V2 possible via Windows Update. Moving forward, we intend to enable delivery of MCUs through this automated process when possible."
Of course, the problem with tying CPU microcode patches to operating system updates is that it removes (or makes more difficult) a level of control that some users want. Akamai's Sniffen gave an example of a gaming machine he owns. "I seriously considered whether I wanted to just take the frame rate hit for my VR gaming system by taking the Spectre/Meltdown patches. Then Microsoft didn't give me any choice and it came into the patch stream," he said. "I tried it out. It's OK but I absolutely thought through the question of whether I wanted them applied."
Intel's Culbertson said that the company is sharing more information with security researchers and academics as they search for new vulnerabilities in Intel processors.
The speculative execution vulnerabilities have been notable for the number that have been discovered by academic groups. Forcepoint's Ford says that he sees academic curiosity at work in the discoveries. "This is a sort of academically interesting set of attacks because what you're dealing with is the microcode level of data unwinding inside chipsets," he explains.
Beyond conducting and sharing results, Intel says it has increased its coordination with hardware and software partners for finding and remediating issues. One example is its work with Microsoft to include a microcode update in the Windows patch stream.
For enterprise customers, the Spectre/Meltdown issues have driven significant rethinking of patching and vulnerability mitigation plans. "It took some of those plans from where we would role play those around the table and try to think it through. And it took those from the theoretical versions of that to 'maybe we should have the phone numbers ready to go on a playbook written down,' and drill on those plans," Akamai's Sniffen says.
Ford says that organizations should use these vulnerabilities as an opportunity to re-think their entire risk-assessment stance. "There are vulnerabilities at every level of that device that you call a single computer on your desk," he says. "We tend to fixate, I think sometimes, on specific types of vulnerabilities or specific weaknesses. But all the way from the supply chain to the day you decide to throw it out and every step in between, there are vulnerabilities to think about and it's very challenging."
Beyond conducting and sharing results, Intel says it has increased its coordination with hardware and software partners for finding and remediating issues. One example is its work with Microsoft to include a microcode update in the Windows patch stream.
For enterprise customers, the Spectre/Meltdown issues have driven significant rethinking of patching and vulnerability mitigation plans. "It took some of those plans from where we would role play those around the table and try to think it through. And it took those from the theoretical versions of that to 'maybe we should have the phone numbers ready to go on a playbook written down,' and drill on those plans," Akamai's Sniffen says.
Ford says that organizations should use these vulnerabilities as an opportunity to re-think their entire risk-assessment stance. "There are vulnerabilities at every level of that device that you call a single computer on your desk," he says. "We tend to fixate, I think sometimes, on specific types of vulnerabilities or specific weaknesses. But all the way from the supply chain to the day you decide to throw it out and every step in between, there are vulnerabilities to think about and it's very challenging."
In January of 2018, the world was introduced to two game-changing CPU vulnerabilities, Spectre and Meltdown, that brought "speculative execution side-channel vulnerability" into the enterprise IT security lexicon. Since then, a number of variants of the initial vulnerabilities have been found, along with new vulnerabilities taking advantage of similar functions within the CPUs.
Early on, chip manufacturers and software publishers rushed to release mitigation code, some of which had significant unintended consequences, including multiple system reboots and dramatic application slowdown. Since those early days after the vulns were disclosed, the response has become more measured. But many customers are still wary of any response — especially since many of the updates are either mandatory within an operating system's update stream or baked into new releases of hardware and software.
Intel kicked off 2019 with a Jan. 2 editorial laying out its response to the Spectre and Meltdown vulnerabilities over the past year. The chip giant says the culture of the company has changed since the advent of Spectre and Meltdown, and its response has been effective. But vulnerabilities in the core of a CPU tend not to lend themselves too rapid, complete fixes, Intel says.
Here's a look at Intel's retrospective on Spectre and Meltdown as well as commentary from industry experts. While questions remain about whether most users should place these vulnerabilities high on their list of concerns, there is no question that the vulnerabilities - and the response to the vulnerabilities - have had an impact on every organization and individual purchasing a computer in 2018 and beyond.
Have Spectre and Meltdown figured into your security planning? Let us know in the comment section below.
(Image: Meltdownattack.com)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024