Weissblick - Fotolia

Can we trust Intel Inside to mean secure computing?

Intel has just released an updated patch after its previous update failed spectacularly. Now its CEO is promising security assurance

Having previously withdrawn its first patch for the Spectre and Meltdown processor flaw, Intel has now released a fix.

Towards the end of January, Intel was forced to admit that its patch for the Spectre and Meltdown processor bug was flawed and could cause PCs and servers to lock up.

It has now updated the patch and claims it will continue to work closely with industry partners to protect customers against the Spectre and Meltdown exploits, which were originally disclosed by Google Project Zero.

In a blog post, Navin Shenoy, executive vice-president and general manager of the datacentre group at Intel, said: “Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days. We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production.”

However, companies will have to wait until PC manufacturers decide to release the firmware updates to their hardware.

In the meantime, 139 samples of malware that exploit the Meltdown and Spectre vulnerabilities have been discovered by AV-Test. In a tweet, the security company said: “Most samples are binaries (compiled for Windows, Linux and MacOS), but we also found the first working JavaScript PoC [proof of concept] for Spectre. The latest (just-released) versions of eg Chrome and Firefox includes special fixes, so at least the PoC won’t work any more.”

In his blog post, Shenoy warned that security exploits often follow a similar lifecycle. “This lifecycle tends to include new derivatives of the original exploit as security researchers – or bad actors – direct their time and energy at it,” he said. “We expect this new category of side channel exploits to be no different. We will, of course, work closely with the industry to address these situations if and when they arise, but it again underscores the importance of regular system updates, now and in the future.”

Given Intel’s track record in fixing this flaw, question remain as to whether it is in a position to tackle processor security flaws quickly and efficiently. At the Consumer Electronics Show last month, Intel CEO Brian Krzanich pledged that the company would be committed to putting security first.

In an open letter on the Intel website, he wrote: “Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.”

Trustworthy Computing

Krzanich’s statement may tick the right boxes for a chief security officer hoping microprocessor security flaws will be handled by the industry, but it is not the same as Bill Gates’ Trustworthy Computing, when the Microsoft co-founder sent a company-wide memo that changed the culture not only of his organisation, but the whole of IT.

As Computer Weekly has reported previously, Microsoft needed to do Trustworthy Computing after the Code Red attack brought down Microsoft’s IIS web server software in 2001, and SQL Slammer became the fastest-spreading worm ever in 2003.

Microsoft has both led the way and relied on industry innovations and trends such as cloud computing to reduced the attack surface of the Windows system. Patch Tuesday illustrates that there are still plenty of flaws and patching will be a never-ending process – but it is a process that the IT industry and IT administrators fully understand.

It is now up to Krzanich and the boffins at Intel to develop a workable, modern-day equivalent of Trustworthy Computing to protect current and future microprocessors.

But Intel’s challenge goes beyond working with its hardware partners to release, in a timely manner, firmware updates that are robust and can be trusted not to crash or lock up their customers’ hardware. It also involves a radical shift in customer expectations, particularly if Intel is honest about providing what Krzanich describes as “ongoing security assurance”.

Nutanix president Sudheesh Nair told Computer Weekly: “If the flaw was a Java error, then you would avoid using the affected version of Java. But what is unique is that the processor flaw happened at such a fundamental level that no one has a choice. If we have more processor exploits, there will need to be major changes in the industry.”

Nutanix is one of the companies that has Intel inside its hyperconverged servers, so will rely on Intel passing on processor patches so it can update the firmware on its customers’ appliances.

Nair argued that hardware companies will need to separate security from performance, which will involve a fundamental shift in the way customers buy new systems. “Performance at the expense of data security and integrity is bad,” he said. “When a customer investigates a new architecture, they will run a proof of concept and do a performance test. If I am competing against another company for their business, the PoC almost always consists of a benchmark such as an IOPS [input/output operations per second] benchmark or a database benchmark. If you don’t perform well, the chances are we won’t win.”

Beyond enterprise IT, there is now a question about Intel’s brand – once a slogan for CPU performance. Although a processor logo on a laptop may not mean anything to anyone, having an Intel Inside badge prominently displayed when using a laptop in a public place may well be the carrot that tempts wannabe hackers to try an exploit.

Read more on Endpoint security