Nope, no Intel chip recall after Spectre and Meltdown, CEO says
CEO Brian Krzanich says the new security vulnerabilities may be deep but they're also being fixed with software updates.
Hoping the Meltdown and Spectre security problems might mean Intel would be buying you a shiny new computer after a chip recall? Sorry, ain't gonna happen.
Intel famously paid hundreds of millions of dollars to recall its Pentium processors after the 1994 discovery of the "FDIV bug" that revealed rare but real calculation errors. Meltdown and Spectre are proving similarly damaging to Intel's brand, sending the company's stock down more than 5 percent.
But Intel CEO Brian Krzanich said the new problems are much more easily fixed -- and indeed are already well on their way to being fixed, at least in the case of Intel-powered PCs and servers. Intel said Thursday that 90 percent of computers released in the last 5 years will have fixes available by the end of next week.
"This is very very different from FDIV," Krzanich said, criticizing media coverage of Meltdown and Spectre as overblown. "This is not an issue that is not fixable... we're seeing now the first iterations of patches."
The vulnerabilities, announced Wednesday by Google and other researchers, open a new avenue of attack on PCs, phones , and servers -- computing devices using chips designed by Intel, Arm and, to a lesser degree, AMD. If an attacker manages to place malicious software on your device, it could use Meltdown or Spectre to listen in on other software whose data is supposed to be secure from eavesdropping within the system. That could mean an attacker could get access to passwords, encryption keys and other extremely sensitive data.
The attacks involve a modern chip feature called speculative execution. Patches to fix the problem affect operating systems , web browsers and the operation of the processors themselves. Tech companies are scrambling to release updates to protect against Spectre and Meltdown after news of the vulnerabilities started slipping out ahead of a planned coordinated announcement.
One concern has been that the fixes for Meltdown and Spectre will degrade performance. Krzanich flatly denied it. "For the real-world applications... it's minimal impact," he said.
Intel, working with makers of computers and their operating system software, plans patches that'll bring "complete mitigations" to computers using Intel chips designed in the last five years, said Steve Smith, Intel's general manager for data center engineering. The majority are already done, Krzanich said. For chips up to 10 years old, fixes will be released in coming weeks for the "vast majority" of Intel chips, Smith said.
Asked why Intel isn't talking about fixes for machines more than a decade old, Smith said, "We're working with [computer makers] to determine which ones to prioritize based on what they see as systems in the field."
Intel also is fixing the problem in future chips, starting with products that will arrive later this year, Smith said. Intel is effectively taking the software fixes being released now and building them directly into hardware, he said.
"We're putting those mitigations in our designs," Smith said. "We're not turning off the benefits of speculation."
The problems occur only when the chip is switching from one level of privilege to another, for example the change from running a computer user's software like Photoshop to the computer's operating system, which gets deeper access to the processor. The Intel fix will address those "corner cases... where you're moving from one level of protection to another," Smith said.
The issue is a particular concern for data centers run by companies like Google , Amazon and Microsoft , where many computing processes run side by side in different compartments on the same hardware. Google, Amazon and Microsoft all say they've updated their systems to protect against Spectre and Meltdown.
Intel chips from the last 15 years are affected, the company said. That's an awful lot of computers, though Intel declined to say how many chips it's shipped since then, and in any event it's impossible to know how many are still in use.
"You don't know, if somebody went out and bought a PC five years ago, whether someone owns that PC, whether it's operational or whether they've turned it into a paperweight," Krzanich said.
There's been concern that Spectre in particular will be difficult to fix, but Krzanich disagreed.
"The mitigations we're providing -- the ones that will roll out by next week from the [computer makers] and the ones cloud service providers have already put in place -- solve both problems," Krzanich said.
Krzanich sold hundreds of thousands of Intel shares in November, based on a plan filed in October, both months after Google told the company of the vulnerabilities in June 2017. But the stock sale was unrelated, Intel said.
"It wasn't something where I had information that allowed me to trade," Krzanich said. "Intel has a very rigorous process for how I manage my stock. I have a stock trading plan that is defined over time, so when socks sell it's defined up front and I have no control over that. Those [plans] are reviewed by the company."
And though he sold lots of stock, Krzanich still has 250,000 shares, as required by his employment contract. "To me, 250,000 shares is still quite a bit of stock to be owning," he said. "I'm a strong believer in Intel's stock. That's a large amount of my net worth, and I'm passionate about Intel's future."
First published Jan. 4, 4:53 p.m. PT.
Update, 5:36 p.m. PT: Adds detail about CEO Brian Krzanich stock sale.
Solving for XX: The industry seeks to overcome outdated ideas about "women in tech."
Special Reports: All of CNET's most in-depth features in one easy spot.