Skip to main content

Intel needs to come clean about Meltdown and Spectre

Intel needs to come clean about Meltdown and Spectre

/

A lot more transparency is needed from Apple and AMD, too

Share this story

Illustration by Alex Castro / The Verge

Intel hasn’t had the best of times recently. Meltdown and Spectre security flaws have helped reveal fundamental issues with processor designs over the past 20 years, and the software updates to protect PCs will have performance impacts. Even as I write this, it’s still not clear to anyone exactly how bad these performance impacts will be for older desktop systems, or how significant they’ll be to server-based cloud platforms. It’s all a bit of a mess, and Intel hasn’t helped with its lack of transparency. It’s time for Intel to stop hiding behind cleverly worded statements.

Intel’s first response to the initial Meltdown and Spectre rumors was an angry blog post that provided few details, and claimed “performance impacts are workload-dependent,” and that they “should not be significant” to the average computer user without even a mention of potential server problems. Intel made it clear it wasn’t the only chipmaker affected by the issue, and the buzz over performance issues continued.

The initial response was angry and confusing

A day later, Intel issued a second response. This time, the company admitted “performance impact from the software updates may initially be higher” on some workloads, but the wording was still vague and confusing. Intel promised updates for 90 percent of processor products introduced in the past five years by the end of this week to fix the security problems. These updates are BIOS firmware updates, which are not distributed centrally by Intel or Microsoft, and require PC makers to properly manage and alert customers that they even exist. The buzz over performance issues continued.

Intel CEO Brian Krzanich took to a CES keynote stage last night and addressed the continued noise by repeating Intel’s promise of security updates and admitted that “some workloads may experience a larger impact than others,” without elaborating on exactly what workloads would be affected. Intel’s stock price has dropped 7 percent since the flaws were uncovered, and there’s concerns over Krzanich’s Intel stock sales. Before Intel even managed to issue its third statement on the CPU flaws, Microsoft revealed some of the extent of the performance issues facing Windows PCs and server-based systems. Windows 7 and Windows 8 machines running Haswell or older processors are going to be impacted the most according to Microsoft, and “most [of those] users will notice a decrease in system performance.”

Intel has gone from “should not be significant” to “may initially be higher” to “impact may be significant” in the space of a week

Microsoft’s most troubling revelation is that Windows Server instances will have a “more significant performance impact,” especially if servers are I/O intensive. Microsoft is actually warning customers to consider not updating their server firmware if they don’t run untrusted code, to ensure performance isn’t impacted. Microsoft has performed a number of vague benchmarks across a variety of processors, but at least the company is trying to be transparent to its customers.

Intel issued its third statement today, reiterating that performance impacts shouldn’t be significant for “average computer users.” Intel’s latest statement includes benchmarks to back up its findings, but they’re limited to the latest eighth-generation Intel processors. Intel doesn’t mention the impact to older devices, but the company has finally acknowledged there are some “cases where the impact may be significant.”

Intel has gone from “should not be significant” to “may initially be higher” to “significant” in the space of a week.

CPU flaws were supposed to be disclosed in the middle of CES

Part of all this poor transparency might have been related to the timing of the flaw disclosure. Intel, AMD, Google, Microsoft, and others had agreed to hold an embargo on the details for Meltdown and Spectre to today, until the news broke early last week. Intel and others were caught off guard, despite being informed about the flaw back in June. Note that the original plan wasn’t all that transparent, as it would have put the news in the middle of one of the biggest technology shows in the world (CES).

Intel isn’t alone in its lack of transparency. AMD initially stated: “The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.” It turns out that AMD’s cleverly worded statement didn’t address potential performance issues or the Spectre variant 2 that requires firmware updates.

“It’s very difficult for the Spectre variant 2 to be exploited on AMD, but it’s also quite complex so we have said we’re subject to variant 2 and we’re working with the community around variant 2,” says AMD’s chief marketing officer John Taylor in an interview with The Verge. AMD is still working on the issues, and isn’t ready to talk about whether the company will need to issue firmware updates or any potential performance impacts.

Another company that isn’t talking about potential firmware updates is Apple. The Verge has reached out multiple times to confirm whether iPhones or Mac computers will require firmware updates to protect against the Spectre variant 2, and Apple has not yet revealed whether these updates have been issued, or if and when they will be. Apple has, at the minimum, so far issued operating system updates to mitigate against Spectre variant 1 and Meltdown.

It’s been a confusing week for all involved, but a lack of transparency hasn’t helped improve the situation. Microsoft and Red Hat have started to provide a clearer picture for the industry, but Intel’s processors are the ones mainly affected by these issues due to their prevalence and the types of computing they’re used for. Intel also dominates the server market, and the company has not been clear about the impact there. Intel is creating the firmware patches for Spectre variant 2, and it should know the performance impacts across Windows and Linux even more closely than Microsoft and Red Hat. Intel should be leading the way in helping customers understand the issues, not hiding behind cleverly worded statements that gradually eke out the truth what feels like each and every day.