Major tech companies, including Intel, Microsoft and Google, scrambled to calm the mood this week after a large number of computer users reported performance problems linked to security updates for the Spectre and Meltdown vulnerabilities.
A firestorm of criticism has erupted over the response to the chip flaws, which researchers at Google's Project Zero discovered in 2016. Months passed before the problems were disclosed to the public. Further, the security patches released in recent days have been blamed for performance problems, including slowdowns in many systems. The fixes reportedly rendered a smaller number of systems unbootable.
Intel CEO Brian Krzanich on Thursday sent an open letter to the technology industry, pledging the company would make frequent updates and be more transparent about the process, and that it would report security issues to the public in a prompt manner.
Design Flaw
Intel Executive Vice President Navin Shenoy on Wednesday issued an update on the impact of the patches on performance, saying that eighth-generation Kaby Lake and Coffee Lake platforms would see less than a 6 percent performance decrease. However, users running Web applications with complex Javascript operations might see a 10 percent reduction.
The seventh-generation Kaby Lake platforms would experience a 7 percent reduction, and the impact on the sixth-generation Skylake platforms would be slightly higher at 8 percent.
Intel released numerous statements after the vulnerabilities were made public, and it shot down reports that its chips were the only ones at risk.
However, the Rosen Law Firm on Wednesday announced that it had filed a class action suit against Intel, alleging a failure to disclose the design flaw. The complaint cited reports that Intel had been warned of the problem. An Intel spokesperson was not immediately available to comment for this story.
Project Zero researchers discovered serious security flaws caused by "speculative execution," a technique used by modern CPUs to optimize performance, Matt Linton, senior security engineer at Google Cloud, and Matthew O'Connor, office of the CTO, wrote in an online post.
G Suite and Google Cloud platforms have been updated to protect against known attacks, the company said, though it acknowledged concerns that a variant of Spectre is considered more difficult to defend against.
Microsoft and others in the industry were notified of the issue several months ago under a nondisclosure agreement, Terry Myerson, executive vice president of Microsoft's Windows and Devices group, noted earlier this week in an online post. The company immediately began engineering work on updates to mitigate the risk.
The flaw could allow a nonprivileged user to access passwords or secret keys on a computer or a multitenant cloud server, explained Stratechery analyst Ben Thompson in a post Myerson referenced.
Contrary to Intel's protests, the potential risk from Meltdown is due to a design flaw, Thompson also noted.
Users of Windows 8 or Windows 7 systems using Haswell or older CPUs and would see a decrease in system performance after patching the flaw, Myerson noted.
Apple released updates for iOS, macOS High Sierra, and Safari on Sierra and El Capitan, noting the issue relates to all modern processors and affects nearly all computers and operating systems.
However there have been no reported compromises of customer data, Apple added, and Apple Watch is not affected by Meltdown or Spectre.
Performance Over Prudence
"The Meltdown and Spectre vulnerabilities require adjustment to critical, low-level interfaces in affected operating systems," said Mark Nunnikhoven, vice president of cloud security at Trend Micro.
"Given the scale of the issue, the patches by Microsoft, Apple, Google and others have been very successful," he told TechNewsWorld.
Still, there have been problems in some cases, Nunnikhoven said, noting that Microsoft and AMD have been pointing fingers at one another following reports of computers slowing down or in some cases not booting.
Microsoft has suspended automatic updates and is working with AMD on a solution, it said in a security bulletin.
Like most organizations, chip manufacturers long have prioritized speed over security," said Ryan Kalember, senior vice president of cybersecurity strategy atProofpoint, "and that has led to a tremendous amount of sensitive data being placed at risk of unauthorized access via Meltdown and Spectre.
The software patch required to fix Meltdown can slow computer processors down by as much as 30 percent, said Alton Kizziah, vice president of global managed services at Kudelski Security.
"Organizations need to test patches before installing them to make sure that systems that may already be pushed to their limits won't crash and cease functioning as a result of the patch," he told TechNewsWorld. Also, those using Microsoft patches may need to make adjustments to their registry keys to avoid interference with antivirus software.
No comments:
Post a Comment