At the beginning of Intel’s fourth quarter 2017 earnings conference call, CEO Brian Krzanich immediately jumped into an update about patching the Meltdown and Spectre security issues found with the company’s processors. He confirmed that Intel is currently working on silicon-based changes for upcoming products that will address the problems on a hardware level. These products are expected to hit the market later in 2018.
Krzanich also hinted at the current problems Intel faces with the first software-based patch addressing Meltdown.
“While we made progress, I’m acutely aware that we have more to do, we’ve committed to being transparent keeping our customers and owners appraised of our progress and through our actions, building trust,” he said. “Our near-term focus is on delivering high-quality mitigations to protect our customers’ infrastructure from these exploits.”
Speculation points to knowledge of the Meltdown and Spectre issues long before acknowledging them in public. That is because processor designs remain locked for at least a year before they become products sold on the market. Intel’s ninth-generation “Ice Lake” family of processors is expected to launch by the end of 2018 or in early 2019 based on 10nm process technology. Thus, the fixes needed to be in place prior to December 2017.
Google’s Project Zero team went public with its Meltdown and Spectre findings at the beginning of January. But Intel already knew about the problems and admits it began distributing firmware updates to hardware partners in early December. It addressed five generations of Intel processors, only customers began reporting an unusually high number of system reboots after applying the update. As Krzanich said in his opening statement, Intel still has “more to do.”
That said, how long Intel knew about the issues prior to the public exposure is unknown at this point. The next processor family slated to hit the market is Intel’s eighth-generation “Cannon Lake” chips in early 2018, the company’s first processors based on 10nm process technology. It’s essentially a smaller version of Intel’s seventh-generation processor design, aka Kaby Lake, so hardware-based fixes for Meltdown and Spectre likely won’t be present.
Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) are three exploits presented by Google Project Zero, Cybrus Technology, and Graz University of Technology. They take advantage of how modern processors “think ahead” while computing multiple instructions using a technique called speculative execution. Processors “predict” the outcome of their tasks based on information stored in memory, thus speeding up the overall computing process. The exploits manage to access all that unsecured data.
The problem exists in all processors dating back to at least 2011 from Intel and AMD (x86), and those manufactured by Samsung, Qualcomm, and others based on ARM’s mobile processor architecture. Hardware companies are scrambling to patch what they can through software-based updates, and directly to the hardware in future processor releases as indicated by Intel.
“Security has always been a priority for us and these events reinforce our continuous mission to develop the world’s most secured products,” Krzanich said. “This will be an ongoing journey.”
