The world’s biggest chipmakers and software companies, including Intel Corp. and Microsoft Corp., are coming to grips with a vulnerability that leaves vast numbers of computers and smartphones susceptible to hacking and performance slowdowns.
Google researchers recently discovered that a feature, present in almost all of the billions of processors that run computers and phones around the world, could give cyberattackers unauthorized access to sensitive data — and whose remedy could drag on device performance. News of the weakness, found last year and reported Tuesday by The Register technology blog, weighed on shares of Intel — which was bumped by Samsung from its spot as the biggest semiconductor maker, according to a separate report from Gartner released Thursday — while boosting rivals including Advanced Micro Devices Inc. Intel’s silence for most of Wednesday added to investors’ unease.
Late in the day, Intel, Microsoft, Google and other tech bellwethers issued statements aimed at reassuring customers and shareholders. Intel said its chips weren’t the only ones affected and predicted no material effect on its business, while Microsoft, the largest software maker, said it released a security update to protect users of devices running Intel and other chips. Google, which said the issue affects Intel, AMD and ARM Holdings Plc chips, noted that it updated most of its systems and products with protections from attack. Amazon.com Inc., whose AWS is No. 1 in cloud computing, said most of its affected servers have already been secured.
For decades, hackers have exploited security holes in software — for example, by inducing careless, unsuspecting users to open attachments that unleash viruses or other malware onto a device or network. The weakness uncovered by Google, by contrast, underscores the potential damage wreaked by vulnerabilities in hardware. Complex components, such as microprocessors, can be harder to fix and take longer to design from scratch if flawed.
“It’s a big one and it’s a severe one. This gives an attacker capabilities that bypass the common operating system security controls that we’ve relied on for 20 years,” said Jeff Pollard, an analyst at Forrester Research. “There’s big impact on both the consumer and enterprise.”
Google said in a blog post that it privately informed Intel, ARM and AMD of these issues on June 1, 2017, to give them time to find remedies before the vulnerabilities became public. While the companies were working on fixes, the same vulnerabilities were independently discovered by a team of researchers affiliated with several academic institutions and computer security firms.
In research papers made public online Wednesday, this second group of researchers identified a potential cyberattack that could exploit these vulnerabilities. Calling it “Meltdown,” the researchers said that in their tests it affected Intel chips most seriously but could also be used against ARM and AMD processors.
The researchers say they discovered another potential attack they dubbed “Spectre” that would be difficult to pull off but also harder to fix. In a paper on Spectre, they said that chipmakers had long prioritized processing speed over security. “As the costs of insecurity rise, these design choices need to be revisited, and in many cases alternate implementations optimized for security will be required,” the researchers said.
Intel’s stock remained under pressure even after its statement. The company’s shares were down 2.2% to $44.28 in early trading in New York.
“We struggle to believe that Intel won’t face some sort of financial liability,” analysts at Sanford C. Bernstein wrote in a note.
China’s largest cloud computing services scrambled Thursday to address the issue. Domestic industry leader Alibaba Group Holding Ltd. said it planned to update its systems from 1 a.m. on Jan. 12 to handle potential chip security issues. Rival Tencent Holdings Ltd. said it was in touch with Intel on possible fixes but wasn’t aware of any attempted attacks.
Applying the operating system upgrades designed to remedy the flaw could hamper performance, security experts said. The Register reported that slowdowns could be as much as 30% — something Intel said would occur only in extremely unusual circumstances. Computer slowdowns will vary based on the task being performed and for the average user “should not be significant and will be mitigated over time,” Intel said, adding that it has begun providing software to help limit potential exploits.
Intel’s efforts to play down the impact resulted in a war of words with AMD. Intel said it’s working with chipmakers including AMD and ARM Holdings, as well as operating system makers to develop an industrywide approach to resolving the issue. AMD was quick to retort, saying, “there is near-zero risk” to its processors because of differences in the way they are designed and built.
The vulnerability doesn’t just affect PCs. All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they’re likely to be asked to run next. By queuing up possible executions in advance, they’re able to crunch data and run software much faster.
The problem in this case is that this predictive loading of instructions allows access to data that’s normally cordoned off securely, Intel VP Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.
“The techniques used to accelerate processors are common to the industry,” said Ian Batten, a computer science lecturer at the University of Birmingham in the U.K. who specializes in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25% to 30% are “worst-case” scenarios, he said.
Intel EO Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue “a couple of months ago.”
“Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place,” Krzanich said, explaining how the company responded to the issue.
Google, a unit of Alphabet Inc., identified the researcher as Jann Horn. While many of its products have already been protected, some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the internet giant said.
Microsoft released a security update on Wednesday for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD, the company said in a statement. Late in the day, Microsoft said the majority of Azure cloud infrastructure has been updated with the fix and most customers won’t see a noticeable slowdown with the update.
“We have not received any information to indicate that these vulnerabilities had been used to attack our customers,” Microsoft said. The fixes were originally planned for release on Jan. 9, but were rushed out Wednesday after the weakness was made public, according to a person familiar with the situation.
Apple Inc. didn’t respond to requests for comment about how the chip issue may be affecting the company’s operating systems.
Providers of computing power and services via the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing resources and energy to perform the same functions while maintaining security, said Frank Gillett, another analyst at Forrester.
“When you’re running billions of servers,” he said, “a 5% percent hit is huge.”
By Ian King, with assistance from Dina Bass, Alex Webb, Jeremy Kahn, Mark Bergen, Spencer Soper and Lulu Yilun Chen.