Intel Misled Industry on Security Vulnerabilities
Caught in the center of a security vulnerability storm, Intel has done the unthinkable and understated the severity of the problems.
Yes, there is a lot of blame to go around here.
It was wrong for The Register (no link, deliberate) to publish information about these CPU flaws before the industry could issue all of the fixes it was readying, for example.
And it was dumb of AMD to brag—literally—that it saw almost no impact from these flaws in its own chipsets.
But if I were to point the finger of blame at one company here, and I will, it would have to be Intel. The microprocessor giant has behaved in an irresponsible manner that is just hard to explain.
Consider just three of the quotes from the microprocessor’s statement, which I reported on yesterday. Each of these claims is technically true to some degree. But oh so wrong in all the ways that are important.
“Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
Intel probably does believe that. But the firm left out the most important bit: Exploits based on the revealed flaws have the ability to steal your data. And this can happen in cloud-based servers, which makes the flaws particularly dangerous.
“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect.”
It’s unclear why Intel put quotes around the words “bug” and “flaw” since there are in fact two bugs—or flaws—in all of its microprocessors. Are they unique to Intel chips? No. But Intel is hit the hardest here, because it has the most affected microprocessors still in use in the market, in particular in server and cloud workloads. And there is no fix for one of the flaws.
“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Put simply, the fixes that are required will impact the performance of the CPU and thus the system of which it is part. And there is an evolving understanding of what this impact will be across those workloads, yes. So while it is probably fair to say that the performance impact on end-user PCs will be “not significant,” this comment neatly leaves out the most important bit. The performance impact to Linux-based servers—which power about 30 percent of the Internet—could be as high as 30 percent.
Put simply, each of these statements is irresponsible. And Intel needs to be held accountable for this misinformation.