Intel CEO Addresses the Industry on Meltdown and Spectre Issues in Open Letter
by Anton Shilov on January 11, 2018 10:15 PM ESTBrian Krzanich on Thursday published an open letter addressing its partners and customers regarding the aftermath of the Meltdown and Spectre exploits publication. Chief executive of Intel reiterated the company’s plans to release security updates for its recent CPUs by early next week and mentioned the importance of collaborative industry-wide security assurance and responsible disclosures regarding security vulnerabilities going forward.
Intel intends to release software and firmware patches for 90% of its CPUs launched in the past five years by January 15. By the end of the month, Intel plans to issue software updates for the remainder 10% of processors introduced in the same period. After that, Intel will focus on releasing updates for older products based on requests and priorities of its customers. The company confirms that patches have an impact on performance and says that it varies widely based on workloads and mitigation technique.
Going forward, the world’s largest maker of microprocessors plans to share hardware innovations with the industry to fast-track development of protection against side-channel attacks. In addition, the company intends to increase funding for academic and independent research of security threats. Brian Krzanich expects other industry players to follow similar practices: share security-related hardware innovations and help researchers of security vulnerabilities.
The original letter reads as follows:
An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders
Following announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers’ data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.
As this process unfolds, I want to be clear about Intel’s commitments to our customers. This is our pledge:
1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.
3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.
The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve.
— Brian Krzanich
Related Reading:
Source: Intel
65 Comments
View All Comments
Wolfclaw - Friday, January 12, 2018 - link
Customer-First Urgency - Those who buy a lot get priority, little guy can go fish.Transparent and Timely Communications - Well make an announcement months later, after our board members sell their shares.
Ongoing Security Assurance - NSA has asked us to keep the remaining holes quiet.
Hurr Durr - Friday, January 12, 2018 - link
NSA? Try Mossad.FunBunny2 - Friday, January 12, 2018 - link
"NSA? Try Mossad."I knew there was some folks who have all those Trump/Putin chats on tape. :):)
bill44 - Friday, January 12, 2018 - link
No mention how future CPU designs mitigate Meltdown/Spectre.Designs for CPUs coming out this year have been frozen a while back and no major redisign has been planned.
When can we expect Meltdown/Specre free CPUs? 2020/2021?
Pork@III - Friday, January 12, 2018 - link
Mmm, yes...If these new generations of processors are not drilled from the next versions of Meltdown / Specter :Ddgingeri - Friday, January 12, 2018 - link
Remember, this is the same guy who sold much of his stock in Intel back in November. That says something about his credibility.libertytrek - Monday, January 15, 2018 - link
This, 1,000 times. I can't believe no one else is raising this huge red flag. Maybe/hopefully one of the lawsuits will address it.dgingeri - Friday, January 12, 2018 - link
I am seeing a LOT of very ignorant responses here, and this surprises me.1. The big performance hit of this patch is on servers, particularly database and web servers. Most desktop apps won't see anything, regardless of how old your system may be. So stop whining about the patch being mandatory, as it will likely not impact your system in any meaningful way, unless you are being so pedantic as to be upset about a 3% decrease in your benchmark scores.
2. All this wining about "being forced to upgrade" to either a new processor or Windows 10 is really annoying. You aren't 'forced' into anything with this.
3. There are FAR more compelling reasons to upgrade to Windows 10. The security behind the scenes is FAR better, especially over Windows 7, and MASSIVELY over Windows XP. I'm not even going to address the ignorant idiots still using WinXP, but those of you still sticking to Windows 7, THERE IS NO REASON FOR YOU TO FEAR WINDOWS 10! Some things have moved around a little, but mostly, it's the same as Windows 7, but has far better security and runs many legacy apps better than Windows 7. It is not smarter to stick with a less secure, less stable, older OS.
4. There are far better reasons to upgrade your old hardware. Believe it or not, even electronics wear down over time. Your 7 year old laptop with Sandy Bridge isn't just less efficient, but also will become less stable over time, and it is NOT Microsoft's fault. Capacitors degrade over use. Batteries degrade over time and use and heat, and wind up producing less stable power, which can damage those previously mentioned capacitors. Even silicon degrades over time, causing instability. These complaints about patches making your laptop less stable or slower is very ignorant. It is your hardware being old that is making it less stable, and therefore making the system compensate for some errors that is making it slower, not the operating system or the patches.
Now you are informed. Stop being intentionally ignorant and stop whining about things you know nothing about.
Pork@III - Friday, January 12, 2018 - link
I see something new: https://phys.org/news/2018-01-finnish-firm-intel-f...Brian Krzanic, I think he'll have to sell his Intel shares, again. :D
dgingeri - Friday, January 12, 2018 - link
Yeah, that's been a known likely vulnerable point for a while. It's also not easily patchable. It's a poor design choice from its inception, and most users have voiced their objections to it, but they haven't been listening to users for a long time. The only way to really protect against this is to disable the onboard wireless (or take out the wireless adapter card) and put in a USB wireless adapter.