Highly regulated sectors, such as government offices and public health institutions, are most at risk of compromise as a result of the security flaw present in modern microprocessors from Intel Corp, Advanced Micro Devices Inc and other manufacturers, according to security experts. Widespread use of old computers and legacy components means software-based fixes being developed by companies like Microsoft Corp may slow down already-aging systems.
“This will adversely affect highly regulated sectors, such as the NHS,” said Michela Menting, digital security research director at ABI Research. “There’s a whole chain of authority that needs to run before machines can be altered. In addition to this wait time, once the patches are run, they are likely to slow down processing speeds.” Cedric Thellier, chief technical officer at French cybersecurity advising firm Akerva, isolated health-care institutions, as well as industrial players, as those that may be at a greater risk. He said it may simply prove too difficult to update some operationally sensitive systems these businesses rely on.
Reports emerged Tuesday that a feature used by billions of computer microprocessors had a vulnerability that hackers could exploit to gain access to private system data. A fix could be issued, but some computers may see a performance drag. The hardware-based nature of the underlying problem also means recall and replacement is almost certainly no option. Large companies running database servers could see some of the biggest impact from any slowdowns, said Ian Batten, a computer science lecturer at the University of Birmingham.
“I imagine that all over the Square Mile very subtle discussions are being held between database people, security people, compliance people and data center managers as they juggle the risk-to-performance trade-off from the patch,” he said, referring to London’s financial center. “Industries where servers need to operate continuously,” such as those that power cloud computing, “could feel an impact,” said Ido Naor, senior security researcher at Kaspersky Lab.
Amazon.com Inc, the biggest cloud-computing provider, previously said most of its affected AWS servers have already been secured. Microsoft said the majority of its Azure cloud infrastructure has been updated with the fix and most customers won’t see a noticeable slowdown with the update. While Intel has said there are no known incidents of this vulnerability being exploited so far, the company also said it may take weeks to fully protect systems running on its chips, and estimates of the degree of slowdowns the fixes may cause are based on simulations.
Peter Zaitsev, the co-founder and chief executive officer of Percona, a Raleigh, North Carolina-based company that helps businesses set and manage large computer databases, said that firms running such databases might see a 10 to 20 percent slowdown in performance from the patches being issued. He said this was not enough to cause major disruptions for most applications. He also said that subsequent versions of the patch would likely further reduce any performance impacts.
He also said that in cases where a company has a server completely dedicated to a single application there was likely no need to implement the patch as these machines are not susceptible to the attacks researchers have discovered. Still, computers used by institutions like the UK’s National Health Service are already slow compared with the newest machines today. “Add to that an incremental slowdown,” Menting said, referring to the proposed software patches, “and we’re looking at a significant reduction in productivity.”
“We are aware of this issue and are continuing to work with stakeholders to ensure the risk is minimized,” said an NHS spokesman. “There is no evidence to suggest this vulnerability has been exploited across health. We are constantly monitoring and continue to work closely with NCSC.” Cybercriminals are likely to already be looking for ways to exploit the vulnerabilities, aware that not everyone will install the patches, said Naor.
Google said in a blog post that it privately informed Intel, ARM Holdings Plc and AMD of these issues on June 1 last year to give them time to find remedies before the vulnerabilities became public. While the companies were working on fixes, the same vulnerabilities were independently discovered by a team of researchers affiliated with several academic institutions and computer-security firms.
Intel, responding to the reports, said the chip weakness doesn’t mean hackers could corrupt, modify or delete data, and the current solutions to the vulnerability “provide the best possible security for its customers.” There should be no impact on the company’s business, and performance slowdowns “should not be significant and will be mitigated over time,” the company said Wednesday. Still, investor concern has put pressure on the stock. Intel shares dropped 2.2 percent to $44.25 at 1:10 pm in New York, after declining 3.4 percent on Wednesday.
“This is a big blow for Intel,” Menting said. “AMD and ARM have been better with their responses, even if they are trying to allay fears of how long their products will remain vulnerable.” The company’s server chips have more than 99 percent market share. Those computers are at the heart of networks and are vital to the functioning of the internet and corporations.