Jan 3, 2018

How tech giants are dealing with a massive chip vulnerability

Intel, the leader in microprocessor market, presents developer tools at Droidcon convention in Turin in 2015. Photo by Mauro Ujetto/NurPhoto via Getty Images.

The entire tech industry is scrambling to create software patches that close a massive security hole due to a decade-long flaw in how nearly all modern chips are designed.

The vulnerabilities, first reported to affect Intel chips, also affect to varying degrees processors made by rival AMD as well as the ARM processors used in cell phones and other devices.

Why it matters: This is the broadest security vulnerability to date, affecting nearly all computers, servers and other devices, including smartphones. For now, most fixes involve updates to the operating systems and cloud services developed by Apple, Amazon, Microsoft, Google and others.

Dig Deeper: A good explainer on the vulnerabilities and who is affected is offered here.

Here's what the major companies have said so far.


"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

"Recent reports that these exploits are caused by a "bug" or a "flaw" and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors' processors and operating systems — are susceptible to these exploits."

Click here for the rest of Intel's statement

Update: On a conference call, Intel said it doesn't expect a significant financial impact from the issue.


Microsoft is updating Windows 10 today with a special fix for the issue and also making available updates for Windows 7 and Windows 8.

"We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and have also released security updates to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, ARM, and AMD. We have not received any information to indicate that these vulnerabilities had been used to attack our customers."


Researchers from Google's Project Zero found the vulnerabilities last year and reported them to Intel, AMD and ARM in June 2017. In a blog post, Google disclosed what product actions it is taking with regards to Android, Chrome OS and the Google Cloud. It said other products, such as Chromecast and Google Home aren't affected.


"This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours. We will keep customers apprised of additional information with updates to our security bulletin, which can be found here."


"To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time."


"Arm (has) been working together with Intel and AMD to address a side-channel analysis method which exploits speculative execution techniques used in certain high-end processors, including some of our Cortex-A processors. This method requires malware running locally and could result in data being accessed from privileged memory. Please note that our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

"We are encouraging our silicon partners to implement the software mitigations developed if their chips are impacted."

Apple has not yet responded to requests for comment.

Go deeper

The coronavirus is Trump's slow-burn crisis

Photo: Money Sharma/AFP/Getty Images

At 6:30 p.m. from the White House press room, President Trump will publicly make himself the face of America's response to the coronavirus crisis.

Why it matters: This is exactly the situation where a president needs the credibility to truthfully explain a tough situation to the public.

Obama demands South Carolina stations stop airing misleading anti-Biden ad

Photo: Samir Hussein/Samir Hussein/WireImage

Former President Obama's office is calling on South Carolina TV stations to stop running a misleading attack ad by a pro-Trump super PAC that uses Obama's voice out of context to make it appear as if he is criticizing Joe Biden and Democrats on race.

Why it matters: It's a rare intervention by Obama, whose former vice president Joe Biden is facing a critical primary in South Carolina on Saturday. Obama has said he has no plans to endorse in the Democratic field.

The megatrends that will shape the 21st century

Illustration: Eniola Odetunde/Axios

An enormous amount of change has been crammed into the first two decades of the 21st century — but what’s coming next will break every speed record.

The big picture: The world is being buffeted by rapid yet uneven advances in technology that will revamp work and what it means to be human. At the same time, fundamental demographic changes will alter democracies and autocracies alike while the effects of climate change accumulate, physically redrawing our globe.