Companies scramble to fix computer flaws
Companies are rushing to update computer systems to patch security flaws revealed this week that affect chips used in almost every device — despite fears that the fixes will slow down their performance.
Intel on Friday was hit with several class- action lawsuits from disgruntled consumers worried about slower computer performance. The chipmaker aims to issue updates for 90% of the chips made in the past five years by the end of next week.
The software updates that try to overcome flaws in the chips — made by Intel, AMD and Arm — are complicated and timeconsuming to apply.
Once patched, experts had estimated the systems could run between 5% and 30% more slowly. Intel said Apple, Amazon, Microsoft and Google had all seen no meaningful impact on performance since updating their systems.
However, unlike the big cloud companies, most IT customers do not have “the skilled PhDs” to make sure their systems do not suffer from patching, said Joseph Unsworth, an analyst at research firm Gartner.
Many companies will be discouraged from updating their systems due to warnings that they will perform worse, he added.
A US government-sponsored cyber security team backtracked on its original recommendation on Thursday to replace all hardware, saying the guidance had been “too blunt” and “impractical in the short term.” The Computer Emergency Response Team (CERT) at Carnegie Mellon University said one of the reasons it had changed its advice was due to a conversation with Intel.
Gavin Millard, technical director at Tenable, a cyber security company, said IT operation teams around the world would be “under significant pressure” to patch, or update, every system.
Apple said it had already released patches to defend its Mac systems against the flaw known as Meltdown, adding that the Apple watch was not affected.
While an operating system update helps protect against Meltdown, several software updates may be required to mitigate the risks presented by the second vulnerability, named Spectre, in order to address the different ways hackers could exploit it. For example, an update to a browser could help foil hackers using Spectre to jump from a malicious advert in one window to harvest an online banking password in another tab.
Karl Sigler, manager of threat intelligence at Trustwave, a cyber security company, said IT departments would be in “overdrive” for the “foreseeable future.” Updates to firmware, software which runs closest to the computer hardware, can be the most challenging to install.
“Adding insult to injury, most firmware updates need to be installed directly on the system requiring a person being physically in front of the machine. Whether you send every user a USB stick with instructions for installation (and lots of prayer) or you send an IT person to every terminal, you can see how burdensome and complex the process can become,” Mr. Sigler said.
There is no evidence that the Meltdown and Spectre flaws have actually been exploited by hackers, but it is not clear that it would be possible to tell if they had.
Art Manion, the vulnerability analysis technical manager at CERT, said he expected a new range of improved hardware to avoid these kind of attacks in coming years.
Shares in Intel, which have fallen 4% since the flaws were first reported, ticked up 0.30%in late trade in New York, while shares in AMD were down 2%.
Intel has been hit by four class-action lawsuits in the US since the flaws became public this week, with consumers in California, Oregon and Indiana claiming the chipmaker should compensate them for the alleged slowdown in performance.
A lawsuit from Richard Ries and Zachary Finer, consumers in California, alleged that Intel “took shortcuts” that created the vulnerability and mis- sold its product as “some of the fastest available on the market.” The plaintiffs also drew attention to the Intel chief executive’s automatic stock-selling plan, which started after the company knew about the flaws.
“Rather than inform consumers about the major security flaw, Intel’s chief executive officer Brian Krzanich opted to sell millions of dollars of Intel stock — all that he could part with under the corporate bylaws — after he learnt of the Meltdown security flaw,” the complaint said. Intel said the share sale was unrelated and in line with corporate guidelines.