Widely used processor chips from Intel turn out to have a security flaw that could allow hackers to take control of a computer at its most basic operating levels.

The takeoffs on the chipmaker's "Intel Inside" slogan write themselves. But this is also one more teachable moment about a fundamental fact of security: You cannot count on vendors to do your security work for you.

The flaw in Intel chips was reported in a security advisory by the US Computer Emergency Readiness Team (US-CERT).

According to US-CERT's advisory, 64-bit operating systems running on these Intel processor chips are subject to a "local privilege escalation attack." Such an attack gives kernel privileges to malicious code, allowing it to act directly on the hardware-software interface.

The flaw is associated with a specific machine instruction, SYSRET. This instruction is part of the x-86-64 standard defined by ARM. But if an operating system written around ARM's specs is run on an Intel processor, it can allow an attacker to write to arbitrary memory addresses – bypassing key internal protections.

Windows 7 and Windows Server 2008 R2 are among the affected operating systems. AMD chips are free of this behavior, as are all 32-bit systems.

One security lesson here is that hardware as well as software can have flaws that provide an entry point for attackers. An even more basic security lesson is that weak points can slip through the development processes even of the largest vendors.

Companies cannot assume that their vendors have taken care of security for them. The way to have confidence in your information security is to think about what you are protecting, and build policies that will ensure it is protected. No security is perfect, but good security begins with awareness and planning.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."