Congress questions Apple, others over decision to keep Meltdown and Spectre details secret...
In letters sent to the CEOs of major tech companies on Wednesday, including Apple CEO Tim Cook, the U.S. House Energy and Commerce Committee asks why an agreement was made to keep details of the Meltdown and Spectre chip flaws secret until their public disclosure this month.
The congressional committee seeks answers from Apple, Amazon, AMD, ARM, Google, Intel and Microsoft, each of which released fixes for the hardware vulnerabilities over the past weeks, CNBC reports. A copy of the letter was posted online (PDF link) for public review earlier today.
As noted by the committee, a handful of tech firms, namely large entities directly impacted by Meltdown and Spectre, were informed of the vulnerabilities in June 2017 by Google's Project Zero team. These companies agreed to an "information embargo" originally set to expire on Jan. 9, 2018, when a majority of planned software mitigations would by that point be distributed.
However, details of Meltdown and Spectre began to leak earlier than expected, with major news organizations reporting on the issue as early as Jan. 2. The sooner-than-expected disclosure forced tech firms to accelerate work on their respective mitigation initiatives, the letter claims.
"Though this schedule adjustment has not seemed to overly impact the effectiveness of the response, it does raise questions related to the effects and appropriateness of the embargo on companies not originally included in the June 2017 disclosure, and who were caught off-guard by the January 4 announcement," committee representatives Greg Walden, Marsha Blackburn, Robert Latta and Gregg Harper said in the letter.
Meltdown and Spectre are hardware vulnerabilities that affect nearly every modern microprocessor, including those designed and manufactured by Intel, AMD and Apple. Discovered by Google researcher Jann Horn, the flaws rely on a common performance feature called speculative execution to potentially glean sensitive information like passwords from system memory without a user's knowledge.
The letter raises questions as to whether the collective decision to remain mum on the subject negatively impacted companies, end users and other organizations not privy to the original disclosure. More pointedly, the committee says the recent events call for greater scrutiny of coordinated cybersecurity embargoes.
"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the letter reads.
For its part, Apple began the process of mitigating Mac vulnerabilities in December, with later software and security updates patching iOS devices early this month. Most recently, the company issued additional fixes for macOS High Sierra and older Mac operating systems on Tuesday.
The committee requests each CEO respond to a series of nine questions by Feb. 7.
The congressional committee seeks answers from Apple, Amazon, AMD, ARM, Google, Intel and Microsoft, each of which released fixes for the hardware vulnerabilities over the past weeks, CNBC reports. A copy of the letter was posted online (PDF link) for public review earlier today.
As noted by the committee, a handful of tech firms, namely large entities directly impacted by Meltdown and Spectre, were informed of the vulnerabilities in June 2017 by Google's Project Zero team. These companies agreed to an "information embargo" originally set to expire on Jan. 9, 2018, when a majority of planned software mitigations would by that point be distributed.
However, details of Meltdown and Spectre began to leak earlier than expected, with major news organizations reporting on the issue as early as Jan. 2. The sooner-than-expected disclosure forced tech firms to accelerate work on their respective mitigation initiatives, the letter claims.
"Though this schedule adjustment has not seemed to overly impact the effectiveness of the response, it does raise questions related to the effects and appropriateness of the embargo on companies not originally included in the June 2017 disclosure, and who were caught off-guard by the January 4 announcement," committee representatives Greg Walden, Marsha Blackburn, Robert Latta and Gregg Harper said in the letter.
Meltdown and Spectre are hardware vulnerabilities that affect nearly every modern microprocessor, including those designed and manufactured by Intel, AMD and Apple. Discovered by Google researcher Jann Horn, the flaws rely on a common performance feature called speculative execution to potentially glean sensitive information like passwords from system memory without a user's knowledge.
The letter raises questions as to whether the collective decision to remain mum on the subject negatively impacted companies, end users and other organizations not privy to the original disclosure. More pointedly, the committee says the recent events call for greater scrutiny of coordinated cybersecurity embargoes.
"While we acknowledge that critical vulnerabilities such as these create challenging tradeoffs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures," the letter reads.
For its part, Apple began the process of mitigating Mac vulnerabilities in December, with later software and security updates patching iOS devices early this month. Most recently, the company issued additional fixes for macOS High Sierra and older Mac operating systems on Tuesday.
The committee requests each CEO respond to a series of nine questions by Feb. 7.
Comments
Yeah lot of people were not told and look what happen when a few only knew some idiot leak it out before the companies who could fix the issue had time to address the problem. I suspected they big guys like Apple, Intel and Microsoft who control the mass majority to the computer and communication infrastructure needed time to come up with solutions once they had a fix they could share they information with everyone else and they all could roll out similar fix. Considering how big of an issue this was, less people knowing was better until s fix could be rolled out.
Any Mac w/Mac OS X 10.10 or earlier on it.
iPad Mini 1st gen.
? millions of ATV 3's currently in use...shall I go on?