How tech giants are dealing with a massive chip vulnerability
The entire tech industry is scrambling to create software patches that close a massive security hole due to a decade-long flaw in how nearly all modern chips are designed.
The vulnerabilities, first reported to affect Intel chips, also affect to varying degrees processors made by rival AMD as well as the ARM processors used in cell phones and other devices.
Why it matters: This is the broadest security vulnerability to date, affecting nearly all computers, servers and other devices, including smartphones. For now, most fixes involve updates to the operating systems and cloud services developed by Apple, Amazon, Microsoft, Google and others.
Dig Deeper: A good explainer on the vulnerabilities and who is affected is offered here.
Here's what the major companies have said so far.
"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.
"Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits."
Click here for the rest of Intel's statement
Update: On a conference call, Intel said it doesn't expect a significant financial impact from the issue.
Microsoft is updating Windows 10 today with a special fix for the issue and also making available updates for Windows 7 and Windows 8.
"We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
Researchers from Google's Project Zero found the vulnerabilities last year and reported them to Intel, AMD and ARM in June 2017. In a blog post, Google disclosed what product actions it is taking with regards to Android, Chrome OS and the Google Cloud. It said other products, such as Chromecast and Google Home aren't affected.
"This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours. We will keep customers apprised of additional information with updates to our security bulletin, which can be found here."
"To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time."
"Arm (has) been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note that our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.
"We are encouraging our silicon partners to implement the software mitigations developed if their chips are impacted."
Apple has not yet responded to requests for comment.