San Francisco — The world’s biggest chip makers and software companies, including Intel and Microsoft, are coming to grips with a vulnerability that leaves vast numbers of computers and smartphones susceptible to hacking and performance slowdowns.
Google researchers recently discovered that a feature, present in almost all of the billions of processors that run computers and phones around the world, could give cyberattackers unauthorised access to sensitive data — and whose remedy could drag on device performance.
News of the weakness, found last year and reported on Tuesday by technology blog The Register, weighed on shares of Intel, the biggest semiconductor maker, while boosting rivals including Advanced Micro Devices.
Intel’s silence for most of Wednesday added to investors’ unease.
Late in the day, Intel, Microsoft, Google and other tech bellwethers issued statements aimed at reassuring customers and shareholders.
Intel said its chips were not the only ones affected and it predicted no material effect on its business, while Microsoft, the largest software maker, said it had released a security update to protect users of devices running Intel and other chips.
Google, which said the issue affected Intel, AMD and ARM Holdings chips, noted that it had updated most of its systems and products with protections from attack.
Amazon.com, whose AWS is the leader in cloud computing, said most of its affected servers had already been secured.
Hackers for decades have exploited security holes in software — for example, by inducing careless, unsuspecting users to open attachments that unleash viruses or other malware onto a device or network.
The weakness uncovered by Google, by contrast, underscores the potential damage wreaked by vulnerabilities in hardware.
Complex components, such as microprocessors, can be harder to fix and take longer to design from scratch if flawed.
"It’s a big one and it’s a severe one. This gives an attacker capabilities that bypass the common operating system security controls that we’ve relied on for 20 years," said Jeff Pollard, an analyst at Forrester Research. "There’s big impact on both the consumer and enterprise."
Intel’s stock remained under pressure even after its statement.
"We struggle to believe that Intel won’t face some sort of financial liability," analysts at Sanford C Bernstein wrote in a note.
China’s largest cloud computing services scrambled on Thursday to address the issue.
Domestic industry leader Alibaba said it planned to update its systems from 1am on January 12 to handle potential chip security issues.
Rival Tencent said it was in touch with Intel on possible fixes but was not aware of any attempted attacks.
Applying the operating system upgrades designed to remedy the flaw could hamper performance, security experts said.
The Register reported that slowdowns could be as much as 30% — something Intel said would occur only in extremely unusual circumstances.
Computer slowdowns will vary based on the task being performed and for the average user "should not be significant and will be mitigated over time," Intel said, adding that it has begun providing software to help limit potential exploits.
Intel’s efforts to play down the impact resulted in a war of words with AMD.
Intel said it was working with chip makers including AMD and ARM Holdings, as well as operating system makers to develop an industry-wide approach to resolving the issue.
AMD was quick to retort, saying "there is near-zero risk" to its processors because of differences in the way they are designed and built.
The vulnerability does not affect PCs alone. All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they are likely to be asked to run next. By queuing up possible executions in advance, they are able to crunch data and run software much faster.
The problem in this case is that this predictive loading of instructions allows access to data that is normally cordoned off securely, Intel vice-president Stephen Smith said on a conference call.
That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.
"The techniques used to accelerate processors are common to the industry," said Ian Batten, a computer science lecturer at the University of Birmingham in the UK who specialises in computer security. The fix being proposed would definitely result in slower operating times, but reports of slowdowns of 25%-30% were "worst-case" scenarios, he said.
Intel CEO Brian Krzanich told CNBC that a researcher at Google had made Intel aware of the issue "a couple of months ago".
"Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place," Krzanich said, explaining how the company responded to the issue.
Google, a unit of Alphabet, identified the researcher as Jann Horn.
While many of its products had already been protected, some customers of Android devices, Google laptops and its cloud services still needed to take steps to patch security holes, the internet giant said.
Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD, the company said.
Late in the day, Microsoft said the majority of Azure cloud infrastructure has been updated with the fix and most customers would not see a noticeable slowdown with the update.
"We have not received any information to indicate that these vulnerabilities had been used to attack our customers," Microsoft said.
The fixes were originally planned for release on January 9 but were rushed out on Wednesday after the weakness was made public, according to a person familiar with the situation.
Apple did not respond to requests for comment about how the chip issue may be affecting the company’s operating systems.
Providers of computing power and services via the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing resources and energy to perform the same functions while maintaining security, said Frank Gillett, another analyst at Forrester.
"When you’re running billions of servers, a 5% hit is huge," he said.