Brian Krzanich on Thursday published an open letter addressing its partners and customers regarding the aftermath of the Meltdown and Spectre exploits publication. Chief executive of Intel reiterated the company’s plans to release security updates for its recent CPUs by early next week and mentioned the importance of collaborative industry-wide security assurance and responsible disclosures regarding security vulnerabilities going forward.

Intel intends to release software and firmware patches for 90% of its CPUs launched in the past five years by January 15. By the end of the month, Intel plans to issue software updates for the remainder 10% of processors introduced in the same period. After that, Intel will focus on releasing updates for older products based on requests and priorities of its customers. The company confirms that patches have an impact on performance and says that it varies widely based on workloads and mitigation technique. 

Going forward, the world’s largest maker of microprocessors plans to share hardware innovations with the industry to fast-track development of protection against side-channel attacks. In addition, the company intends to increase funding for academic and independent research of security threats. Brian Krzanich expects other industry players to follow similar practices: share security-related hardware innovations and help researchers of security vulnerabilities.

The original letter reads as follows:

An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders

Following announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers’ data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.

As this process unfolds, I want to be clear about Intel’s commitments to our customers.  This is our pledge:

1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.

2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.

3. Ongoing Security Assurance: Our customers’ security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.

We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.

The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve.

— Brian Krzanich

Related Reading:

Source: Intel

POST A COMMENT

65 Comments

View All Comments

  • thuckabay - Friday, January 12, 2018 - link

    I am not willing to sacrifice the kind of performance noted for my Windows 7 laptop running a Sandy Bridge i7 CPU. That is stupid, especially given that there really is NO threat. Now that so many systems are going to be updated, there is little reason for any scumbags to try to exploit these vulnerabilities, IMO. From my perspective, the cure is far worse than the disease, especially on older hardware / OS combinations. It just is not worth it. So, I believe Microsoft should make a way to have these patches be OPTIONAL and AVOIDABLE and UNINSTALLABLE. This is crap! Reply
  • Pinn - Friday, January 12, 2018 - link

    look up herd immunity Reply
  • Chyll2 - Friday, January 12, 2018 - link

    I dont know if I am ignorant or something but I agree with you, I rather have it optional if it will have impact on the the performance of my machines. Personally, I dont care if people are looking at my machine. Reply
  • nandnandnand - Friday, January 12, 2018 - link

    "Personally, I dont care if people are looking at my machine."

    Just looking at the keys needed to pwn your trash computer lol
    Reply
  • dgingeri - Friday, January 12, 2018 - link

    1. This can be implemented in malware easily without excluding other information gathering techniques. This just enhances malware's ability to collect information. So, there is little reason for them not to exploit this.

    2. You're still running Windows 7, making your computer at least 3 times more vulnerable to getting malware. This makes your information more vulnerable to being collected.

    Good luck to you and your credit rating. Very likely, you'll have your identity stolen by the end of this year.
    Reply
  • dgingeri - Friday, January 12, 2018 - link

    Oh, and...

    3. this patch has almost no impact on desktop performance. The big performance hit is on database servers, not desktop apps. If you knew anything about this vulnerability instead of lapping up the hype, then you would already know this.
    Reply
  • LordanSS - Saturday, January 13, 2018 - link

    Well, depends on what you do I guess.

    Windows + Firmware updates on an Intel i5 8400 + Titan X (Pascal) affect performance from 3.4% to 9.4% on gaming, at least from what they tested.

    If you're a professional or semi-pro gamer, that's not "negligible". And indeed, it's even worse on Workstation and Server stuff.
    Reply
  • LordanSS - Saturday, January 13, 2018 - link

    Sorry, forgot to post a link in case you wanted to check yourself.

    http://www.eurogamer.net/articles/digitalfoundry-2...
    Reply
  • Hurr Durr - Friday, January 12, 2018 - link

    Now that us a shlomoface if I ever saw one. Reply
  • nandnandnand - Friday, January 12, 2018 - link

    "We think of ourselves as an Israeli company as much as a US company" Reply

Log in

Don't have an account? Sign up now