SANTA CLARA, Calif. (AP) -- Intel's CEO sold shares in his company several months after Google informed the chipmaker of a serious security problem affecting its products. CEO Brian Krzanich sold about $39 million in stocks and options in late November, before the security vulnerability was publicly known. Intel says it was notified about the bugs in June.
Krzanich made about $25 million in profits, before taxes, from the sale, which was disclosed in government filings made at the time. The sale allowed Krzanich to whittle his holdings down to about 250,000 shares, the minimum he is required to own under Intel's rules.
Intel is at the center of the problem because it supplies the processors used in many of the world's PCs. Researchers say one of the bugs, called Meltdown, affects nearly every processor Intel has made since the mid-1990s.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.The widespread vulnerability could allow a hacker to steal information stored in the memory of the chip itself, including things such as passwords and cached files. It could also pave the way for attackers to weaken other security features. The vulnerabilities could allow a hacker to steal information stored in the memory of a wide range of computer chips running on personal devices — not just computers and phones, but also the servers in data centers, including those used to run cloud computing services. Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.
TECHNICAL READ ADOBE.PDF DOWNLOAD HERE :
Chips potentially affected date back more than five years, with some products listed on Intel's website about the vulnerabilities having been introduced as far back as 2008.
Intel shares fell 2.4 percent as of mid-day on Thursday to $44.17.
'Meltdown' and 'Spectre'
One of the vulnerabilities, dubbed Meltdown, is known to affect Intel chips.
Another, Spectre, could affect chips from many vendors, including Intel as well as AMD and Arm.
The computer industry is scrambling to patch security vulnerabilities in the chips that power nearly all the world's computers, including PCs, phones, and data center computers.
Intel and AMD chips power nearly all personal computers and the computers used in data centers, including those that power online services and cloud computing services, while Arm chips power many smartphones.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.
Project Zero team at Google :
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01.
So far, there are three known variants of the issue:
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
Read more here from Graz University of Technology :
Read more here from the Project Zero team at Google :