Consumer Electronics Daily was a Warren News publication.

Intel's Krzanich Vows to Disclose Security Flaws; Concedes Google Team's June Report

Intel CEO Brian Krzanich thanked the Google Project Zero team in an open letter Thursday for “creating the opportunity for the industry to address these new issues in a coordinated fashion,” referring to chip-based security vulnerabilities revealed last week that were initially largely attributed to Intel (see 1801030053). Jann Horn, of the Google Project Zero team, blogged last week that the team had reported the issue to Intel, AMD and ARM in June, saying: “We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.” Variants of the issue are “known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01,” Horn said. Intel said last week the software analysis methods -- which, when used for malicious purposes, have the potential to “improperly gather sensitive data from computing devices” -- were not unique to Intel. “Based on the analysis to date, many types of computing devices -- with many different vendors’ processors and operating systems -- are susceptible to these exploits,” it said, adding it was working with AMD, ARM and other operating system vendors on an industry-wide approach to resolve the issue. In his Thursday letter, Krzanich thanked Google Project Zero “for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.” Krzanich outlined Intel’s pledge for “customer-first urgency,” saying that by Jan. 15 it will have issued updates for “at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January.” Updates for older products will be handled by priority set by customers, he said. Krzanich also promised “transparent and timely communications” and “ongoing security assistance.” To accelerate security across the industry, Krzanich committed Intel will “publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks.” Intel will add funding for academic and independent research into potential security threats, he said. Google further detailed in an update Thursday how it protected Google Cloud products against "speculative execution vulnerabilities," and ensured Google Cloud customers saw minimal impact to performance.