Spectre-style Intel chip vulnerability disclosures delayed, patches not expected until Aug...

Posted:
in Current Mac Hardware edited May 2018
The release of patches to fix new Spectre-style flaws in Intel's processor designs is allegedly delayed by two more weeks to late May, but a report suggests Intel wants to push the release back even further into July while it works to finalize the required updates.

Spectre logo


Intel had previously intended for processors affected by the new batch of flaws, unofficially named Spectre NG, to be fixed by patches starting from May 7, at the same time as details about the vulnerabilities themselves are disclosed to the public. According to sources ofHeise.de, Intel is now planning a co-ordinated release on May 21, two weeks later than planned.

The report claims the eventual release of patches and the disclosures isn't fixed, as Intel is claimed to have requested another extension to the delay. If granted, this extra alleged extension could end up with the details of the flaws, and some of the patches being released on July 10.

Security researchers usually inform manufacturers of the flaw once confirmed, giving the company a period of time to find a solution before publishing their findings, typically 90 days later. While delays can be requested, they are not always accepted by the research teams, who may opt to keep to their original schedule if it believes enough time has already passed for a fix to be created and distributed.

It was reported last week that eight new security flaws were found in Intel's CPUs, all caused by the same design-related issue, and with each requiring their own patches. Two waves of patches were scheduled, starting with one batch released in May followed by a second wave covering the more severe vulnerabilities in August.

Of the eight vulnerabilities, Intel apparently classified four as "high risk" while the other four are "medium risk." While seven are thought to be similar vulnerabilities to those found in Spectre, the eighth is considered an exception due to being able to exploit a virtual machine to attack a host system, making it potentially damaging to cloud-based services.

The vulnerabilities are said to affect all Core i processors and Xeon derivatives since 2010, as well as Atom, Pentium, and Celeron processors produced since 2013. As Intel chips are used in the Mac product ranges, it is highly likely Apple is affected by the flaws, and either has already issued or is actively working on patches for macOS.

Last week, Intel issued a statement ahead of the potential disclosures, effectively confirming the vulnerabilities exist. The company says it routinely works with other parties to "understand and mitigate any issues that are identified," that it strongly believes in the "value of co-ordinated disclosure," and reminds users to keep their systems up to date.

Revealed in January, the Meltdown and Spectre chip flaws in Intel and ARM-based processors allowed the creation of a number of exploits in systems using the components. All Mac and iOS devices were found to be affected by the issue, but Apple advised at the time it had already released mitigations for current operating system versions, and was working to develop other fixes.

In the following months, Intel became the subject of a number of lawsuits over the design flaws, including their effect on Intel's share price, and accusations that CEO Brian Krzanich allegedly sold shares worth millions of dollars after Intel was informed of the vulnerabilities, but before they were publicly disclosed.

Intel was also criticised for failing to notify U.S. cybersecurity officials of the flaws until after the public became aware of their existence.

Comments

  • Reply 1 of 3
    nunzynunzy Posts: 662member
    Apple should drop Intel once and for all.
    Avieshek
  • Reply 2 of 3
    jony0jony0 Posts: 378member
    Security researchers usually inform manufacturers of the flaw once confirmed, giving the company a period of time to find a solution before publishing their findings, typically 90 days later. While delays can be requested, they are not always accepted by the research teams, who may opt to keep to their original schedule if it believes enough time has already passed for a fix to be created and distributed. 
    Why would they do that ? What is the motivation ?
    Why would they refuse an extension when they already showed some restraint ?

    Since I am not a security researcher but a simple user and potential victim of any of these exploits, I can’t fathom any possible incentive of publishing. I can understand they don’t want Intel or others to be complacent but these flaws seem to be a tougher nut to crack.

    Is it just bragging rights for the researcher or the team, or is it the usual common modern motivator ?
    Do they collect a reward only upon publication ?
    Do they sell the scoop to the media or worse to nefarious agents ?
    If so I guess we have to commend their discipline so far, however temporary.
    Alex1N
  • Reply 3 of 3
    frank777frank777 Posts: 5,839member
    So these are eight newly discovered flaws, which means we won't see hardware fixes for another year or two at least.

    The article doesn't say whether these flaws also exist in Apple's A-series chips. (Spectre and Meltdown affected the A-chips as well.)

    I was looking forward to this year's "A-12" chips being the first to have hardware fixes against Spectre and Meltdown.
    Depending on whether these new flaws impact the A-series, Apple may not have those bragging rights after all.
    Alex1N
Sign In or Register to comment.