Computer scientists at ETH Zurich discover new class of vulnerabilities in Intel processors, allowing them to break down barriers between different users of a processor using carefully crafted instruction sequences. Entire processor memory can be read by employing quick, repeated attacks. Anyone who speculates on likely events ahead of time and prepares accordingly can react quicker to new developments. What practically every person does every day, consciously or unconsciously, is also used by modern computer processors to speed up the execution of programs. They have so-called speculative technologies which allow them to execute instructions on reserve that experience suggests are likely to come next. Anticipating individual computing steps accelerates the overall processing of information.

However, what boosts computer performance in normal operation can also open up a backdoor for hackers, as recent research by computer scientists from the Computer Security Group (COMSEC) at the Department of Information Technology and Electrical Engineering at ETH Zurich shows. The computer scientists have discovered a new class of vulnerabilities that can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorized access to information from other processor users.Update:: Intel released a security advisory regarding CVE-2024-45332, accompanied by a public announcement, and provided TechPowerUp with the following statement:

"We appreciate the work done by ETH Zurich on this research and collaboration on coordinated public disclosure. Intel is strengthening its Spectre v2 hardware mitigations and recommends customers contact their system manufacturer for the appropriate update. To date, Intel is not aware of any real-world exploits of transient execution vulnerabilities.", Intel spokesperson

Amid the push for technology independence, Chinese companies are pushing out more products to satisfy the need for the rapidly soaring demand for domestic data processing silicon. Today, we have information that Chinese Loongson has launched a 3D5000 CPU with as many as 32 cores. Utilizing chiplet technology, the 3D5000 represents a combination of two 16-core 3C5000 processors based on LA464 cores, based on LoongArch ISA that follows the combination of RISC and MIPS ISA design principles. The new chip features 64 MB of L3 cache, supports eight-channel DDR4-3200 ECC memory achieving 50 GB/s, and has five HyperTransport (HT) 3.0 interfaces. The TDP configuration of the chip is officially 300 Watts; however, normal operation is usually at around 150 Watts, with LA464 cores running at 2 GHz.

Scaling of the new chip goes beyond the chiplet, and pours over into system, as 3D5000 supports 2P and 4P configurations, where a single motherboard can become a system of up to 128 cores. To connect them, Loongson uses a 7A2000 bridge chip that is reportedly 400% faster than the previous solution, although we have no information about the last chip bridge. Based on the LGA-4129 package, the chip size is 75.4x58.5×6.5 mm. Regarding performance, Loongson compares it to the average Arm chip that goes into smartphones and claims that its designs are up to four times faster. In SPEC2006, performance reaches 425 points, while maintaining a single TeraFLOP at dual-precision 64-bit format. On the other hand, the processor was built for security, as the chip has a custom hardware-baked security to prevent Spectre and Meltdown, has an on-package Trusted Platform Module (TPM), and has a secret China-made security algorithm with an embedded custom security module that does encryption and decryption at 5 Gbps.

The x86 CPU family has been vulnerable to many attacks in recent years. With the arrival of Spectre and Meltdown, we have seen side-channel attacks overtake both AMD and Intel designs. However, today we find out that researchers are capable of exploiting Intel's latest 10th, 11th, and 12th generation Core processors with a new CPU bug called ÆPIC Leak. Named after Advanced Programmable Interrupt Controller (APIC) that handles interrupt requests to regulate multiprocessing, the leak is claimeing to be the first "CPU bug able to architecturally disclose sensitive data." Researchers Pietro Borrello (Sapienza University of Rome), Andreas Kogler (Graz Institute of Technology), Martin Schwarzl (Graz), Moritz Lipp (Amazon Web Services), Daniel Gruss (Graz University of Technology), and Michael Schwarz (CISPA Helmholtz Center for Information Security) discovered this flaw in Intel processors.

ÆPIC Leak is the first CPU bug able to architecturally disclose sensitive data. It leverages a vulnerability in recent Intel CPUs to leak secrets from the processor itself: on most 10th, 11th and 12th generation Intel CPUs the APIC MMIO undefined range incorrectly returns stale data from the cache hierarchy. In contrast to transient execution attacks like Meltdown and Spectre, ÆPIC Leak is an architectural bug: the sensitive data gets directly disclosed without relying on any (noisy) side channel. ÆPIC Leak is like an uninitialized memory read in the CPU itself.

A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

In 2017, the semiconductor world was shocked to discover new vulnerabilities in modern Intel, AMD, and Arm processors. Dubbed Spectre and Meltdown, these exploits used cache-based side-channel attacks to steal information from the system. Today, we are getting a more advanced side-channel vulnerability hidden in every CPU capable of boosting frequencies. Interestingly called "Heartzbleed," the new exploit can steal secret AES cryptographic keys when observing CPU's boost frequencies. The attack works by monitoring the power signature of any cryptographic workload. As with any other element in a CPU, the workload's power varies according to the processor's frequency scaling in different situations. Observing this power information can be converted into timing data, allowing an attacker to steal cryptographic keys. This is done using Dynamic Voltage Frequency Scaling (DVFS), a part of any modern processor.

Intel and AMD already published that their systems are vulnerable and affected by Heartzbleed exploit. It is labeled Intel-SA-00698 ID and CVE-2022-24436 ID for Intel CPUs and CVE-2022-23823 for AMD CPUs. It affects all Intel processors, and Zen 2 and Zen 3 AMD CPUs. The attacker can exploit this vulnerability remotely without requiring physical access. Intel and AMD will not offer microcode mitigations that should prevent this type of exploit from executing successfully. Additionally, Intel stated that this attack is not very practical outside of laboratory research, as it allegedly takes hours to days to steal cryptographic keys. The performance penalty for mitigating this attack ranges from high to low, depending on the type of implementation.

Cybersecurity researchers Saidgani Musaev and Christof Fetzer with the Dresden Technology University discovered a novel method of forcing illegal data-flow between microarchitectural elements on AMD processors based on the "Zen+" and "Zen 2" microarchitectures, titled "Transient Execution of Non-canonical Accesses." The method was discovered in October 2020, but the researchers followed responsible-disclosure norms, giving AMD time to address the vulnerability and develop a mitigation. The vulnerability is chronicled under CVE-2020-12965 and AMD Security Bulletin ID "AMD-SB-1010."

The one-line summary of this vulnerability from AMD reads: "When combined with specific software sequences, AMD CPUs may transiently execute non-canonical loads and store using only the lower 48 address bits, potentially resulting in data leakage." The researchers studied this vulnerability on three processors, namely the EPYC 7262 based on "Zen 2," and Ryzen 7 2700X and Ryzen Threadripper 2990WX, based on "Zen+." They mention that all Intel processors that are vulnerable to MDS attacks "inherently have the same flaw." AMD is the subject of the paper as AMD "Zen+" (and later) processors are immune to MDS as demonstrated on Intel processors. AMD developed a mitigation for the vulnerability, which includes ways of patching vulnerable software.

Find the security research paper here (PDF), and the AMD security bulletin here. AMD's mitigation blueprint can be accessed here.

Intel has had quite a lot of work trying to patch all vulnerabilities discovered in the past two years. Starting from Spectre and Meltdown which exploited speculative execution of the processor to execute malicious code. The entire process of speculative execution relies on the microarchitectural technique for adding more performance called speculative branch prediction. This technique predicts branch paths and prepared them for execution, so the processor spends less time figuring out where and how will instructions flow through the CPU. So far, lots of these bugs have been ironed out with software, but a lot of older CPUs are vulnerable.

However, an attacker has always thought about doing malicious code execution on a CPU core shared with the victim, and never on multiple cores. This is where the new CrossTalk vulnerability comes in. Dubbed Special Register Buffer Data Sampling (SRBDS) by Intel, it is labeled as CVE-2020-0543 in the vulnerability identifier system. The CrossTalk is bypassing all intra-core patches against Spectre and Meltdown so it can attack any CPU core on the processor. It enables attacker-controlled code execution on one CPU core to leak sensitive data from victim software executing on a different core. This technique is quite dangerous for users of shared systems like in the cloud. Often, one instance is shared across multiple customers and until now they were safe from each other. The vulnerability uses Intel's SGX security enclave against the processor so it can be executed. To read about CrossTalk in detail, please visit the page here.

When Spectre and Meltdown were discovered, the whole industry got on its legs and started to question CPU security more seriously. There are a plethora of attacks that exploit the CPU function called branch prediction, which predicts paths of code execution so it can ready them and execute them faster. This approach is one part of the microarchitectural techniques used to add performance to the CPU design. However, nothing comes without a cost. Despite adding more performance, the branch prediction had taken a toll on the security of CPUs, making them vulnerable to side-channel attacks. Spectre and Meltdown where both discovered in 2018 and they impact millions of CPUs around the world.

Today, a new side-channel vulnerability was discovered, and on Arm CPUs. Called the Straight-Line Speculation (SLS), the speculation bug is haunting all of Arm Armv-A based processors. This represents a wide range of devices being powered by these CPUs, so Arm is taking action to prevent it. The way SLS works is that whenever there is a change in instruction flow, the CPU just starts processing instructions found linearly in memory, instead of changing the path of flow. This action is resulting in a new SLS vulnerability marked as CVE-2020-13844. The vulnerability was discovered by Google SafeSide project last year and they have reported it to Arm. In the meantime, Arm was working on a fix and they already send them upstream to important operating systems and firmware suppliers so it can be resolved. Arm says that the chances of this attack are low, however, they can not be dismissed.

A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance reductions "ranging from 2x to 19x," according to a report by The Register. A full mitigation for the new Load Value Injection (LVI) class of vulnerabilities requires Intel to redesign software compilers. The vulnerability is chronicled under CVE-2020-0551 and Intel-SA-00334. It is not a remote code execution threat, however, it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.

"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.Many Thanks to biffzinker for the tip.

Intel's STrategic Offensive Research & Mitigations (STORM) department, which the company set up back in 2017 when it learned of side-channel attack vulnerabilities in its CPUs, have penned a paper detailing a proposed solution to the problem. Intel's offensive security research team counts with around 60 workers who focus on proactive security testing and in-depth investigations. Of that group, STORM is a subset of around 12 individuals who specifically work on prototyping exploits to show their practical impact. The solution proposed by this group is essentially a new memory-based hardware fix, going by the name of SAPM (Speculative-Access Protected Memory). The new solution would implement a resistant hardware fix in the CPU's memory that essentially includes blocks for known speculative-access hacks, such as the ones that hit Intel CPUs hard such as Meltdown, Foreshadow, MDS, SpectreRSB and Spoiler.

For now, the proposed solution is only at a "theory and possible implementation options" level. It will take a long time for it to find its way inside working Intel CPUs - if it ever does, really, since for now, it's just a speculative solution. A multitude of tests have to be done in order for its implementation to be approved and finally etched into good old silicon. Intel's STORM says that the SAPM approach would carry a performance hit; however, the group also calculates it to be "potentially lesser" than the current impact of all released software mitigations. Since the solution doesn't address every discovered side-channel attack specifically, but addresses the type of back-end operations that concern these attacks, the team is confident this solution would harden Intel CPUs against (most of) both known and not-yet-known speculative execution hacks.

AMD in its technical brief revealed that its Zen 2 microarchitecture has hardware mitigation against the Spectre V4 speculative store bypass vulnerability. The current generation "Zen" and "Zen+" microarchitectures have OS-level mitigation. A hardware mitigation typically has less of a performance overhead than a software mitigation deployed at the OS or firmware level. In addition, just like older generations of "Zen," the new "Zen 2" microarchitecture is inherently immune to Meltdown, Foreshadow, Spectre V3a, Lazy FPU, Spoiler, and the recently discovered MDS vulnerability. In comparison, the 9th generation Core "Coffee Lake Refresh" processors still rely on software or microcode-level mitigation for Spectre V4, Spectre V3a, MDS, and RIDL.

Today Intel announced ModernFW - an experimental approach to building a minimum viable platform firmware for machines such as cloud server platforms. The reason for this software is that, while traditional PC Firmware has evolved over time and retained its backward compatibility, it has become very big and often inefficient.

So to meet the requirements of new platforms that need to be built quickly and adapted easily, Intel decided to offer a new software package that will help with that. The new firmware package targets x86_64 from ISA standpoint and Linux kernel based OSes.

Intel late Tuesday made a boat-load of enterprise-relevant product announcements, including the all important update to its Xeon Scalable enterprise processor product-stack, with the addition of the new 56-core Xeon Scalable "Cascade Lake" processor. This chip is believed to be Intel's first response to the upcoming AMD 7 nm EPYC "Rome" processor with 64 cores and a monolithic memory interface. The 56-core "Cascade Lake" is a multi-chip module (MCM) of two 28-core dies, each with a 6-channel DDR4 memory interface, totaling 12-channel for the package. Each of the two 28-core dies are built on the existing 14 nm++ silicon fabrication process, and the IPC of each of the 56 cores are largely unchanged since "Skylake." Intel however, has added several HPC and AI-relevant instruction-sets.

To begin with, Intel introduced DL Boost, which could be a fixed-function hardware matrix multiplier that accelerates building and training of AI deep-learning neural networks. Next up, are hardware mitigation against several speculative execution CPU security vulnerabilities that haunted the computing world since early-2018, including certain variants of "Spectre" and "Meltdown." A hardware fix presents lesser performance impact compared to a software fix in the form of a firmware patch. Intel has added support for Optane Persistent Memory, which is the company's grand vision for what succeeds volatile primary memory such as DRAM. Currently slower than DRAM but faster than SSDs, Optane Persistent Memory is non-volatile, and its contents can be made to survive power-outages. This allows sysadmins to power-down entire servers to scale down with workloads, without worrying about long wait times to restore uptime when waking up those servers. Among the CPU instruction-sets added include AVX-512 and AES-NI.

The Meltdown and Spectre vulnerabilities have been a real nightmare throughout this year. Those affected were quick (maybe too much) to mitigate the problems with different solutions, but months later even the most recent Intel chips aren't completely safe. Hardware fixes only work for certain Meltdown variants, while the rest are still mitigated with firmware and OS updates that have certain impact on performance.

Intel will have to redesign certain features on their future processors to finally forget Meltdown and Spectre, but meanwhile others have jumped to give some options. MIT researchers have developed a way to partition and isolate memory caches with 'protection domains'. Unlike Intel's Cache Allocation Technology (CAT), MIT's technology, called DAWG (Dynamically Allocated Way Guard) disallows hits across those protection domains. This is important, because attackers targeting this vulnerabilities take advantage of 'cache timing attacks' and can get access to sensible, private data.

The new 9th generation Intel Core processors arrived yesterday with a series of improvements made to entice gamers and content creators. These improvements, however, join others that go beyond pure performance. Intel has introduced several architectural changes to fix the infamous Spectre & Meltdown vulnerabilities, and the new processors mitigate most of the variants of these attacks through a combination of hardware, firmware and OS fixes.

The big changes come to two of the six variants of those vulnerabilities. In both "Rogue Data Cache Load" (Meltdown, variant 3) and "L1 Terminal Fault" (Meltdown, Variant 5) vulnerabilities these new processors have hardware fixes that are new and not present on the rest of the current portfolio of Intel chips. This includes the new Xeon W-3175X (Core-X Skylake-X Refresh), which still depend on firmware fixes to mitigate those problems.

The "Spectre" family of vulnerability, an exploitation of the speculative execution features of modern processors (mostly Intel), was scary enough. Up until now, running malware that implements Spectre needed one to run the program on a local machine. Running it remotely was limited to well-crafted JavaScript executed on the victim's machine, or cloud hosts made to process infected files. This is about to change. Security researchers from Graz University of Technology, including one of the discoverers of the "Meltdown" vulnerability, Daniel Gruss; have discovered NetSpectre, a fully network-based exploit that can let attackers read the memory of a remote machine without executing any program on that machine.

NetSpectre works by deriving bits and bytes from the memory based on measurements of the time the processor to succeed or recover from failure in speculative execution. As a processor is executing code, it speculates what the next instruction or data is, and stores their outcomes beforehand. A successful "guess" is rewarded with tangible performance benefits, while an unsuccessful guess is penalized with having to repeat the step. By measuring the precise time it takes for the processor to perform either (respond to success or failure in speculative execution), the contents of the memory can be inferred.

Legendary soft-modder Regeneration released a vast collection of motherboard BIOS updates for socket LGA1366 motherboards based on Intel X58 Express chipset, because motherboard manufacturers have abandoned the 10-year old platform (yeah, it's been a decade since "Nehalem"!). The BIOSes have been made by transplanting the latest micro-code updates by Intel, which run all the way back to the 1st generation Core micro-architecture.

These are unofficial BIOSes which you use at your own risk, but they've been made by a person with more than two decades of fanfare in the PC enthusiast community, famous for unofficial, performance-enhancing NGO VGA drivers from his now defunct blog NGOHQ.com. Find the links to the BIOS of your X58 motherboard in this thread on TechPowerUp Forums (hosted externally).

ASUS has silently began rolling out motherboard BIOS updates for its Intel 9-series chipset motherboards, which provide hardening against "Meltdown" and "Spectre" vulnerabilities, through a CPU microcode update. Intel, if you'll recall, released microcode updates for "Haswell" and "Broadwell" processors this March, but you were at the mercy of your motherboard manufacturer to pass them on to you. The BIOS updates pack the latest version 24 microcode for 4th generation "Haswell" and 5th generation "Broadwell" processors in the LGA1150 package.

A small catch here, is that the BIOS updates are marked "beta" by ASUS, because the understanding is that all 9-series motherboards sold through 2014-15 are EOL, and have probably lapsed warranty coverage, so the company is limiting its liabilities in case BIOS updates fail, or if the platform still ends up "vulnerable" somehow. The latest version of InSpectre confirms that the latest BIOS for the Z97-A, one of the more popular motherboards by ASUS based on the Z97 Express chipset, passes hardening against Meltdown and Spectre, coupled with Windows 10 April 2018 Update. You should find the latest BIOS updates in the "Support" tab of the product page of your motherboard on ASUS website. Here's hoping other motherboard manufacturers love their customers as much.

AMD today announced, via a security blog post penned by their own Mark Papermaster, that they're beginning deployment of mitigations and resources for AMD processors affected by the Spectre exploits. In the blog post, AMD reiterates how exploits based on version 1 of Spectre exploits (GPZ 1 - Google Project Zero Flaw 1) have already been covered by AMD's partners. At the same time, AMD reiterates how their processors are invulnerable to Meltdown exploits (GPZ3), and explains how mitigations for GPZ2 (Spectre) will occur.

These mitigations require a combination of processor microcode updates from OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD-recommended mitigations for GPZ Variant 2 were made available to Linux partners and have been released to distribution earlier this year.

In a blog post, Microsoft has announced that it has decided to take the matter of finding critical bugs of similar nature to the Spectre/Meltdown flaws into its own hands - at least partially. Adding to its bug bounty programs, the company has now announced that a new pot of up to $250,000 is up for grabs until at least December 31st of this year.

The new bug bounty program is divided into four different severity/compensation tiers, with tier 1 flaws (New categories of speculative execution attacks) granting up to $250,000 in rewards for the "coordinated disclosure" of such vulnerabilities. The idea here is Microsoft is employing the knowledge and will of the capable masses that might find ways of exploiting vulnerabilities, and would choose to disclose them to Microsoft - getting the prize money, helping the tech industry in providing a timely, coordinated defense against these exploits, and saving vast amounts of funding (and time), by not having to do the bug bounty themselves.

The Spectre/Meltdown road is long and pocked with lawsuits and security holes as it is, and Microsoft is one of the players that's trying to put the asphalt back to tip-top, Autobahn-worth shape. The company has already improved users' security to the Meltdown and Spectre exploits on its OS side; however, hardware patches, and specifically BIOS-editing ones are much harder to deploy and distribute by the PC chain. That may be one of the reasons why Microsoft is now again stepping up with software-based mitigations for Intel-based systems, specifically.

The new updates introduce a software-based CPU microcode revision update, and work at the OS-level to plug some security holes on your Intel processors that might otherwise remain unpatched. The reasons for them remaining unpatched can be many: either Intel taking even more time to deploy patches to the still vulnerable systems; your OEMs not deploying the Intel CPU microcode revisions via a BIOS update; or the good old "I forgot I could do it" user story. Of course, being software based means these Microsoft patches will have to be reapplied should users format their Windows system. The update can for now only be manually downloaded and installed, and can only be applied to version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core), but that's definitely better than the alternative of forcing less knowledgeable users to try and find their way through BIOS updates. Of course, that is assuming OEMs will ever push BIOS updates to their products.

Via updated documents on its Microcode Revision guide, Intel has revealed that they have finally developed and started deploying microcode security updates for their Broadwell and Haswell-based microprocessors. The microcode update comes after a flurry of nearly platform-specific updates that aimed to mitigate known vulnerabilities in Intel's CPUs to the exploits known as Spectre and Meltdown.

While that's good news, Intel's patching odyssey still isn't over, by any means. According to Intel's documentation, the Spectre fixes for Sandy Bridge and Ivy Bridge are still in beta and are being tested by hardware partners, so that's two other architectures that still remain vulnerable. Of course, this discussion of who's vulnerable and isn't really can't be reduced to which architectures Intel has released its updates to. Users have to remember that the trickle-down process from Intel's patch validation and distribution through manufacturers to end users' systems is a morose one, and is also partially in the hands of sometimes not too tech-savy users. Time will tell if these flaws will have any major impact in some users or businesses.

The United States Securities and Exchange Commission (SEC) came down hard on silicon valley executives trading company stock when their companies were investigating security or design flaws that could potentially bring down stock value; as something like that borders on insider-trading, a felony under US law. This comes in the wake of senior executives of credit rating company Equifax, and chipmaker Intel, dumping company stock while their companies were investigating security flaws in their products or services. Intel CEO Brian Kraznich raised quite a stink when reports emerged that he sold $39 million worth Intel stock while the company was investigating the Meltdown and Spectre vulnerabilities in its processors (which hadn't been made public while he dumped the stock).

The SEC has come up with a far-reaching new guideline to keep tech execs from exhibiting similar borderline-insider-trading behavior. "Directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company," the new guideline reads. "There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said SEC Chairman Jay Clayton. "I have asked the Division of Corporation Finance to continue to carefully monitor cybersecurity disclosures as part of their selective filing reviews. We will continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed."

Intel today shared in a blog post that they are deploying microcode solutions that have been developed and validated over the last several weeks. These updates aim to patch security vulnerabilities recently found in Intel processors, and will be distributed, mostly, via OEM firmware updates - users who want to have their system hardened against Spectre and Meltdown exploits will have to ensure that their system manufacturer of choice makes these microcode updates available. If they don't do it in a timely fashion, users have no choice but to be vocal about that issue - Intel has now done its part in this matter.

This is the second wave of Intel's patches to mitigate the Spectre and Meltdown vulnerabilities, after the first, hasty patch sent users on towards unstable, crashing systems and the inevitable update rollback. Security had already been reinstated, of sorts, for Intel's Skylake processors, but left users of any other affected Intel CPU family out in the cold. Here's hoping this is the one update that actually sticks after thorough testing and validation.

(Editor's Note: This move by Intel aims to expand their bug-bounty program to specifically include side-channel attacks, such as those that can be leverage on the Spectre and Meltdown exploits. The company is also increasing the rewards it will give the researchers who find new flaws, a move that aims to employ the masses' knowledge and ingenuity to try and reach the hard-earned bonus at the end of the vulnerability - all while saving Intel much more money than it's paying to bug hunters.)

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we've made this part of our operating model is through a bug bounty program. The Intel Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

ASUSTOR Inc. is releasing ADM to version 3.0.5 to fix the Meltdown security vulnerability in Intel CPUs. The models receiving an update are: AS3100, AS3200, AS5000, AS5100, AS6100, AS6200, AS6300, AS6400 and AS7000 series. For the AS6302T and AS6404T NAS devices, ASUSTOR is releasing a BIOS update to patch the Meltdown and Spectre vulnerabilities. Other x86 NAS will be patched as soon as Intel releases a patch.

For ASUSTOR's other models, they will be patched as soon as an updated Linux kernel is released. On non-Intel CPU models, ASUSTOR is also continuing to work with the other relevant CPU manufacturers. ASUSTOR takes security very seriously. When further information is released, customers will be informed through the appropriate channels.