Resources and Response to Side Channel Variants 1, 2, 3
These methods, when used for malicious purposes, have the potential to improperly gather sensitive data. Intel believes these methods do not have the potential to corrupt, modify, or delete data. You should check with your operating system vendor and system manufacturer, and apply any available updates as soon as practical. Intel strongly recommends following good security practices that protect against malware in general. Doing so will also help protect against possible exploitation of these analysis methods.
The researchers demonstrated a proof of concept, and Intel was able to replicate the findings. Intel is not currently aware of any malware based on these methods. However, end users and systems administrators should apply any available updates as soon as practical, and follow good security practices in general.
No. This is not a bug or a flaw in Intel® products. These new methods leverage data about the proper operation of processing techniques common to modern computing platforms, potentially compromising security even though a system is operating exactly as it is designed to. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these methods.
Many modern microprocessor architectures, including but not limited to Intel’s, are impacted. Refer to the security researchers’ blog post for more information.
Simply put, a side-channel is some observable aspect of a computer system’s physical operation, such as timing, power consumption or even sound. As such, they can’t be eliminated. However, Intel is committed to rapidly addressing issues such as these as they arise, and providing recommendations through security advisories and security notices. The latest security information on Intel® products can be found here.
The security researchers notified Intel and other companies about this issue in June 2017. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop, and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible. Intel and nearly the entire technology industry follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed. (See CERT Guide to Coordinated Vulnerability Disclosure.) Intel is committed to coordinated disclosure as the industry standard.
Coordinated disclosure (also referred to as “responsible disclosure”) is widely regarded as the best way to responsibly protect customers from security vulnerabilities. Coordinated disclosure is based on two foundational concepts: (1) when companies become aware of security vulnerabilities, they work as quickly, collaboratively, and effectively as possible to mitigate those vulnerabilities, and (2) the companies simultaneously take steps to minimize the risk that exploitable information becomes available before mitigations are available – through leaks or otherwise – to those who would use it for malicious purposes.
These principles are perhaps best expressed by the Computer Emergency Response Team (CERT) at Carnegie Mellon’s Software Engineering Institute:
“The public and especially users of vulnerable products deserve to be informed about issues with those products and how the vendor handles those issues. At the same time, disclosing such information without review and mitigation only opens the public up to exploitation. The ideal scenario occurs when everyone coordinates and cooperates to protect the public.”
More information on coordinated disclosure and its importance can be found in the Guide to Coordinated Vulnerability Disclosure.
Intel and other companies provided software and firmware updates to mitigate these vulnerabilities. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical. Intel and other companies continue to evaluate, optimize, and improve the solutions developed for these vulnerabilities.
With regard to Intel’s products, all the issues disclosed by researchers can be mitigated either by software or firmware updates. End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical.
Applications using Intel® Software Guard Extensions (Intel® SGX) are vulnerable to the ‘Spectre’ method. We are actively working with our customers and industry partners to address this as a part of our ongoing work to develop and deploy mitigations for Spectre. For more information on mitigations available for Intel® Software Guard Extensions (Intel® SGX), please see our whitepaper.
End users and systems administrators should check with their operating system vendors and system manufacturers, and apply any available updates as soon as practical. Following good security practices protect against malware in general will also help to protect against possible exploitation of these analysis methods. Some of these include:
- Maintain control of your computing environment
- Regularly check for and apply available firmware/driver updates
- Use hardware and software firewalls
- Turn off unused services
- Maintain appropriate user privileges
- Keep security software up to date
- Avoid clicking on unknown links
- Avoid re-using passwords across sites
More information on good security practices can be found at:
Why are some of the updates to address this issue on Intel systems coming from systems manufacturers and some from operating system vendors?
The most effective solution to this situation can vary, and may include updates to the operating system and firmware.
In some cases, the issue is addressed by an operating system update. You should check with your equipment manufacturer or operating system vendor for any available updates and apply them as soon as practical. If no updates are available, or you have not been able to install them yet, following good security practices protect against malware in general and will also help to protect against possible exploitation.