Intel has announced that eight of its processors have potentially damaging vulnerabilities. The affected processors, which includes sixth to eighth generation Intel Core processors and several Intel Xeon processors, are used on most computers made since 2015.
The company has created a detection tool on its support website to help people determine whether their systems are affected.
Security experts aren’t sure how difficult it would be to exploit the vulnerabilities and launch an attack. Jay Little, a security engineer with cyber consulting company Trail of Bits, told Reuters that for an attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a criminal hacker would need to know the administrator’s username and password.
However, attackers could break in without those credentials if they have physical access to the computer, Little added.
Intel said that it knew of no cases where criminal hackers had exploited the vulnerability.
The company has now provided software patches to all major computer manufacturers, although it is up to them to distribute patches to computer users. This could take some time, as patching computer chips is much harder than patching software.
The importance of patch management
This is a perfect example of why all organisations need a patch management policy in place. Once a patch has been announced, the vulnerability is made public and cyber criminals try to exploit it. Every day that passes without applying that patch is a day that you leave yourself open to an attack.
Emergency patches such as this one are common, with security company Bromium reporting that organisations issue an emergency patch five times a month on average. Other patches are easier to plan for and are delivered routinely – such as Microsoft’s ‘Patch Tuesday’.
Routine and emergency patches should both be taken into account in an organisation’s patch management, but you should also conduct regular network penetration tests to check for unpatched operating systems, applications and server management systems.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
We offer fixed-price and bespoke CREST-accredited penetration tests, and all our tests are followed by reports that rank and rate vulnerabilities in your systems.