Intel CEO promises patches, better communication on security
Brian Krzanich says patches for most new CPUs by 15th January, pledges research and disclosure on security
Intel CEO Brian Krzanich has promised that that the company is aiming to address security issues caused by Spectre and Meltdown exploits in most of its newer processors by 15th January.
In an open letter to the IT industry, Krzanich said that the company will release patches for 90% of CPUs less than five years by that date, although older CPUs will not be a priority until the company has patches for the remaining 10% of newer processors, by end of the month.
The company also admitted that the impact on performance of patches to address the security flaws "varies widely". Intel said that it will improve communications across all aspects of the security issue, including regular progress reports and releases of data.
In the letter Krzanich thanked Google Project Zero for revealing the issues in a responsible manner, and also pledged that the company would increase industry and academic research into security and improve disclosure of security issues.
The full text of the letter reads:
"Following announcements of the Google Project Zero security exploits last week, Intel has continued to work closely with our partners with the shared goal of restoring confidence in the security of our customers' data as quickly as possible. As I noted in my CES comments this week, the degree of collaboration across the industry has been remarkable. I am very proud of how our industry has pulled together and want to thank everyone for their extraordinary collaboration. In particular, we want to thank the Google Project Zero team for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.
As this process unfolds, I want to be clear about Intel's commitments to our customers. This is our pledge:
1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
2. Transparent and Timely Communications: As we roll out software and firmware patches, we are learning a great deal. We know that impact on performance varies widely, based on the specific workload, platform configuration and mitigation technique. We commit to provide frequent progress reports of patch progress, performance data and other information. These can be found at the Intel.com website.
3. Ongoing Security Assurance: Our customers' security is an ongoing priority, not a one-time event. To accelerate the security of the entire industry, we commit to publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks. We also commit to adding incremental funding for academic and independent research into potential security threats.
We encourage our industry partners to continue to support these practices. There are important roles for everyone: Timely adoption of software and firmware patches by consumers and system manufacturers is critical. Transparent and timely sharing of performance data by hardware and software developers is essential to rapid progress.
The bottom line is that continued collaboration will create the fastest and most effective approaches to restoring customer confidence in the security of their data. This is what we all want and are striving to achieve."