Facts about The New Security Research Findings and Intel® Products

Security-First Pledge


An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders.

Last updated January 23, 2018  11:51 am EST

Overview

On January 3, 2018 a team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from many types of computing devices with many different vendors’ processors and operating systems.

Intel is committed to product and customer security and to responsible disclosure. We worked closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to mitigate this issue promptly and constructively.

Below are the latest facts, news and updates about these new exploits, and as well as steps you can take to help protect your systems and information.

How the New Analysis Methods Work

These exploits are based on side-channel analysis. A side-channel is some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound. The statistical analysis of these behaviors can in some cases be used to potentially expose sensitive data on computer systems that are operating as designed. These exploits do not have the potential to corrupt, modify or delete data.

 

Most modern CPUs are able to predict what code they might need to run for a given process, and run it in advance so the results are ready before they are needed. This can significantly improve the overall performance and efficiency of a CPU, resulting in a faster and more capable computer or mobile device. CPUs may sometimes move data from one memory location to another for use by these processes. Although the system is operating exactly as it is designed to, in certain cases some of this data may be observable through these exploits.

Protecting Your Computer Systems

We have begun providing software and firmware updates to mitigate these exploits. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any updates as soon as they are available.

For malware to compromise security using these exploits, it must be running locally on a system. Intel strongly recommends following good security practices that protect against malware in general, as that will also help protect against possible exploitation.

The threat environment continues to evolve. Intel is committed to investing in the security and reliability of our products, and to working constructively with security researchers and others in the industry to help safeguard users’ sensitive information.

Useful Resources About the Issue

This is list is not comprehensive. System manufacturers, operating system vendors, and others not listed here may have published information regarding this situation. You should check for updates or advisories from your system manufacturer or operating system vendor.

FREQUENTLY ASKED QUESTIONS

Is my data at risk?

These exploits, when used for malicious purposes, have the potential to improperly gather sensitive data. Intel believes these exploits do not have the potential to corrupt, modify or delete data. You should check with your operating system vendor and system manufacturer, and apply any available updates as soon as practical. Intel strongly recommends following good security practices that protect against malware in general. Doing so will also help protect against possible exploitation of these analysis methods.

Is Intel aware of any real-world usage of these new exploits?

The researchers demonstrated a proof of concept, and Intel was able to replicate the findings. Intel is not currently aware of any malware based on these exploits. However, end users and systems administrators should apply any available updates as soon as practical, and follow good security practices in general.

Is this a bug in Intel hardware or processor design?

No. This is not a bug or a flaw in Intel® products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits. 

Which companies’ products are affected by these issues?

Many modern microprocessor architectures, including but not limited to Intel’s, are impacted. Refer to the security researchers’ blog post for more information.

Why doesn't Intel eliminate side-channel analysis methods?

Simply put, a side-channel is some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound. As such, they can’t be eliminated. However, Intel is committed to rapidly addressing issues such as these as they arise, and providing recommendations through security advisories and security notices. The latest security information on Intel® products can be found here.

Can these new exploits be enabled remotely?

No. Any malware using this side channel analysis method must be running locally on the machine. Following good security practices that protect against malware in general will also help to protect against possible exploitation until updates can be applied.

When did Intel learn about the issue?

The security researchers notified Intel and other companies about this issue in June 2017. Intel is committed to responsible disclosure. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible.

When will updates to address this issue be available?

Intel and other companies have begun providing software and firmware updates to mitigate these exploits. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical.

Are there updates for all of the issues that have been disclosed?

With regard to Intel’s products, all the issues disclosed by researchers can be mitigated either by software or firmware updates. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical.

What should I do to protect my systems and information?

End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical. Following good security practices protect against malware in general will also help to protect against possible exploitation of these analysis methods. Some of these include:

  • Maintain control of your computing environment
  • Regularly check for and apply available firmware/driver updates
  • Use hardware and software firewalls
  • Turn off unused services
  • Maintain appropriate user privileges
  • Keep security software up to date
  • Avoid clicking on unknown links
  • Avoid re-using passwords across sites

More information on good security practices can be found at:

Will applying updates to address this issue hurt the performance of my system?

Performance on some workloads or benchmarks may be impacted and will vary depending on the microprocessor and platform configuration (hardware and software). While some specialized workloads may see a noticeable performance impact, for most users any impact will be modest.

Why are some of the updates to address this issue on Intel systems coming from systems manufacturers and some from operating system vendors?

The most effective solution to this situation can vary, and may include updates to the operating system and firmware.

My system has a CPU that is not among those listed to receive an update. What should I do?

In some cases, the issue is addressed by an operating system update. You should check with your equipment manufacturer or operating system vendor for any available updates and apply them as soon as practical. If no updates are available, or you have not been able to install them yet, following good security practices protect against malware in general will also help to protect against possible exploitation.

Are Intel® Itanium® processors affected?

No. Intel® Itanium® processors are not affected.

Impacted Intel® Platforms

The following Intel®-based platforms are impacted by this issue. Intel may modify this list at a later time. 

Please check with your system vendor or equipment manufacturer (see links above) for more information regarding your system.

  • Intel® Core™ i3 processor (45nm and 32nm)
  • Intel® Core™ i5 processor (45nm and 32nm)
  • Intel® Core™ i7 processor (45nm and 32nm)
  • Intel® Core™ m processor family (45nm and 32nm)
  • 2nd generation Intel® Core™ processors
  • 3rd generation Intel® Core™ processors
  • 4th generation Intel® Core™ processors
  • 5th generation Intel® Core™ processors
  • 6th generation Intel® Core™ processors
  • 7th generation Intel® Core™ processors
  • 8th generation Intel® Core™ processors
  • Intel® Core™ X-series processor family for Intel® X99 platforms
  • Intel® Core™ X-series processor family for Intel® X299 platforms
  • Intel® Xeon® processor 3400 series
  • Intel® Xeon® processor 3600 series
  • Intel® Xeon® processor 5500 series
  • Intel® Xeon® processor 5600 series
  • Intel® Xeon® processor 6500 series
  • Intel® Xeon® processor 7500 series
  • Intel® Xeon® processor E3 family
  • Intel® Xeon® processor E3 v2 family
  • Intel® Xeon® processor E3 v3 family
  • Intel® Xeon® processor E3 v4 family
  • Intel® Xeon® processor E3 v5 family
  • Intel® Xeon® processor E3 v6 family
  • Intel® Xeon® processor E5 family
  • Intel® Xeon® processor E5 v2 family
  • Intel® Xeon® processor E5 v3 family
  • Intel® Xeon® processor E5 v4 family
  • Intel® Xeon® processor E7 family
  • Intel® Xeon® processor E7 v2 family
  • Intel® Xeon® processor E7 v3 family
  • Intel® Xeon® processor E7 v4 family
  • Intel® Xeon® processor Scalable family
  • Intel® Xeon Phi™ processor 3200, 5200, 7200 series 
  • Intel Atom® processor C series
  • Intel Atom® processor E series
  • Intel Atom® processor A series
  • Intel Atom® processor x3 series
  • Intel Atom® processor Z series
  • Intel® Celeron® processor J series
  • Intel® Celeron® processor N series
  • Intel® Pentium® processor J series
  • Intel® Pentium® processor N series