Facts about Security Research and Intel® Products

Last updated May 23, 2018 10:00 am PDT

Overview

Variant 4 and Variant 3a are derivatives of the side channel methods previously disclosed by Google Project Zero (GPZ) in January. There are multiple ways consumers and IT professionals can protect their systems, including browser-based mitigations that have already been deployed. We continue to urge all customers to keep their systems up-to-date as this is one of the best ways to stay protected.

Intel is committed to protecting customers and their data, and we are also committed to coordinated disclosure. We worked closely with many other technology companies, including AMD, Arm Holdings and several operating system and hypervisor vendors, to develop an industry-wide approach mitigating these issues.

Below are the latest facts, news and updates about Variant 4 and 3a, as well as the Variants previously disclosed by GPZ in January. We’ve also included more information on steps you can take to help protect your systems and information.

Please see the Intel Analysis of Speculative Execution Side Channels and Speculative Execution Side-Channel Mitigations white papers for more in-depth information.

Protecting Your Computer Systems

There are multiple ways for consumers and IT Professionals to safeguard their systems from the side channel analysis methods. Mitigation for Variant 4 started in January when most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today. However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates. Performance impact from the mitigations for Variant 4 will vary based on workload, platform configuration, and the mitigation techniques employed.

Variant 3a is mitigated in the same processor microcode updates as Variant 4, and Intel has released these updates in beta form to OEM system manufacturers and system software vendors. They are being readied for production release, and will be delivered to consumers and IT Professionals in the coming weeks. Based on preliminary observations, we expect no meaningful impact to system performance from the mitigation of Variant 3a.

Coordinated Disclosure

Coordinated disclosure is regarded as one of the best ways to protect customers from security exploits. Coordinated disclosure is based on two concepts: (1) when security vulnerabilities arise, companies work quickly, collaboratively, and effectively to mitigate the vulnerabilities, and (2) companies simultaneously take steps to decrease the risk that information becomes publicly available before mitigations are available. 
  
We believe that the principles of coordinated disclosure are best expressed by the Computer Emergency Response Team (CERT) at Carnegie Mellon’s Software Engineering Institute, which has stated: 
  
“The public and especially users of vulnerable products deserve to be informed about issues with those products and how the vendor handles those issues. At the same time, disclosing such information without review and mitigation only opens the public up to exploitation. The ideal scenario occurs when everyone coordinates and cooperates to protect the public.” 

Information on coordinated disclosure and its importance can be found in the Guide to Coordinated Vulnerability Disclosure. More information on Product Security at Intel can be found on our corporate responsibility site here.

How the Analysis Methods Work

A side-channel is some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound. The statistical analysis of these behaviors can in some cases be used to potentially expose sensitive data on computer systems that are operating as designed. These side channel analysis methods do not have the potential to corrupt, modify or delete data.

Most modern CPUs are able to predict what code they might need to run for a given process, and run it in advance so the results are ready before they are needed. This can significantly improve the overall performance and efficiency of a CPU, resulting in a faster and more capable computer or mobile device. CPUs may sometimes move data from one memory location to another for use by these processes. Although the system is operating exactly as it is designed to, in certain cases some of this data may be observable through these side channel analysis methods.

Read the Security-First pledge, an open letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders.

Useful Resources about the Issue

System manufacturers, operating system vendors, and others not listed here may have published information regarding this situation. You should check for updates or advisories from your system manufacturer or operating system vendor. This list is not comprehensive.

Information from System Manufacturers

System manufacturers, operating system vendors, and others not listed here may have published information regarding this situation. You should check for updates or advisories from your system manufacturer or operating system vendor. This list is not comprehensive.

Intel Customer Support

For Assistance Contact Your Operating System or System Manufacturer above, or Intel Customer Support

Submit an Intel Customer Support

Web ticket

Mainland China Phone Number (800) 820 1100 (Toll Free)

Asia-Pacific phone numbers

Europe, Middle-East, Africa Phone Numbers

Phone numbers

Latin America Phone Numbers

Phone numbers

North America Phone Number
(916) 377-7000

FREQUENTLY ASKED QUESTIONS

These exploits, when used for malicious purposes, have the potential to improperly gather sensitive data. Intel believes these exploits do not have the potential to corrupt, modify or delete data. You should check with your operating system vendor and system manufacturer, and apply any available updates as soon as practical. Intel strongly recommends following good security practices that protect against malware in general. Doing so will also help protect against possible exploitation of these analysis methods.

Intel is not currently aware of any malware based on these exploits. However, end users and systems administrators should apply any available updates as soon as practical, and follow good security practices in general.

No. This is not a bug or a flaw in Intel® products. These new exploits leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

Many modern microprocessor architectures, including but not limited to Intel’s, are impacted. 

Simply put, a side-channel is some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound. Intel is committed to rapidly addressing issues such as these as they arise, and providing recommendations through security advisories and security notices. The latest security information on Intel® products can be found above.

No. Any malware using these side channel analysis methods must be running locally on the machine. Following good security practices that protect against malware in general will also help to protect against possible exploitation until updates can be applied.

Variant 3a was first publicly documented in January 2018. Variant 4 was presented to Intel and other companies in February 2018. We and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible. Intel – and nearly the entire technology industry – follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed. (See CERT® Guide to Coordinated Vulnerability Disclosure.) 

Starting in January, most leading browser providers deployed updates mitigating Variant 1 – mitigations that are also applicable to Variant 4 and available for consumers to use today. To supplement these existing mitigations, Intel and other companies have begun providing software and firmware updates to provide additional protection where necessary. More information can be found in our whitepapers here. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical.

  • End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical. Following good security practices protect against malware in general will also help to protect against possible exploitation of these analysis methods. Some of these include:
  • Maintain control of your computing environment
  • Regularly check for and apply available firmware/driver updates
  • Use hardware and software firewalls
  • Turn off unused services
  • Maintain appropriate user privileges
  • Keep security software up to date
  • Avoid clicking on unknown links
  • Avoid re-using passwords across sites

More information on good security practices can be found at:

Our data here is preliminary, but we have not observed any performance impacts on client or server benchmarks when mitigating variant 3a. We don’t expect any of the existing production browser-based changes for variant 4 to further impact system performance. In preliminary analysis, we have observed impacts on some benchmarks and very specific configurations when mitigating variant 4 with updated microcode and accompanying system software changes. More information on considerations for their use can be found in our whitepapers.

The most effective solution to this situation can vary, and may include Firmware or Software updates. Furthermore, Starting in January, most leading browser providers deployed updates mitigating Variant 1 – mitigations that are also applicable to Variant 4 and available for consumers to use today.

You should check with your equipment manufacturer, operating system or browser vendor for any available updates and apply them as soon as practical. If no updates are available, or you have not been able to install them yet, following good security practices protect against malware in general will also help to protect against possible exploitation.

Impacted Intel® Platforms

Please check with your system vendor or equipment manufacturer (see links above) for more information regarding your system.