Intel failed to disclose Meltdown and Spectre to government until flaws made public, Apple...
Apple, Google parent Alphabet and Intel in letters to lawmakers on Thursday revealed a bit of background information concerning the recent airing of Meltdown and Spectre chip vulnerabilities, saying Intel notified U.S. cyber security officials of the flaws only after their existence was made public.
The letters were sent to U.S. Rep. Greg Walden, chair of the House Energy and Commerce Committee Addressing, in response to questions the congressman leveled over the disclosure of Meltdown and Spectre, reports Reuters.
Specifically, Walden sought answers as to why government officials were not informed of the hardware vulnerabilities before they became public knowledge, potentially posing a threat to national security.
For its part, Intel said it decided not to inform the United States Computer Emergency Readiness Team, or US-CERT, upon learning about Meltdown and Spectre as hackers had not taken advantage of the flaws. In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors."
The chipmaker ultimately informed the US-CERT about the vulnerabilities on Jan. 3, a day after The Register reported on the issue and some six months after Google researchers first brought the flaws to Intel's attention.
Intel notified other tech companies of the problem last year, within the 90-day disclosure deadline offered by Google as standard practice. Google later extended that deadline to Jan. 3, then Jan. 9, according to a letter from AMD.
Meltdown and Spectre exploit a modern CPU feature called "speculative executive," a hardware design meant to improve operating speed by executing multiple instructions at the same time.
"To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed," Apple explained in a January statement. "If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software."
Though the processes are supposed to be inaccessible by applications and end users, Google researchers discovered that speculative executions could potentially be used to gain access to sensitive information stored in system memory.
Initially thought to be limited to Intel silicon, Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple's A-series SoCs. Shortly after initial reports went live, Apple issued a statement confirming all Mac and iOS CPUs are impacted by the security flaw.
Apple began the process of mitigating Mac vulnerabilities in December, while later software and security updates patched iOS devices in January. Additional fixes for macOS High Sierra and older Mac operating systems were also pushed out last month.
The letters were sent to U.S. Rep. Greg Walden, chair of the House Energy and Commerce Committee Addressing, in response to questions the congressman leveled over the disclosure of Meltdown and Spectre, reports Reuters.
Specifically, Walden sought answers as to why government officials were not informed of the hardware vulnerabilities before they became public knowledge, potentially posing a threat to national security.
For its part, Intel said it decided not to inform the United States Computer Emergency Readiness Team, or US-CERT, upon learning about Meltdown and Spectre as hackers had not taken advantage of the flaws. In its letter, Intel said government officials were not notified because there was "no indication that any of these vulnerabilities had been exploited by malicious actors."
The chipmaker ultimately informed the US-CERT about the vulnerabilities on Jan. 3, a day after The Register reported on the issue and some six months after Google researchers first brought the flaws to Intel's attention.
Intel notified other tech companies of the problem last year, within the 90-day disclosure deadline offered by Google as standard practice. Google later extended that deadline to Jan. 3, then Jan. 9, according to a letter from AMD.
Meltdown and Spectre exploit a modern CPU feature called "speculative executive," a hardware design meant to improve operating speed by executing multiple instructions at the same time.
"To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed," Apple explained in a January statement. "If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software."
Though the processes are supposed to be inaccessible by applications and end users, Google researchers discovered that speculative executions could potentially be used to gain access to sensitive information stored in system memory.
Initially thought to be limited to Intel silicon, Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple's A-series SoCs. Shortly after initial reports went live, Apple issued a statement confirming all Mac and iOS CPUs are impacted by the security flaw.
Apple began the process of mitigating Mac vulnerabilities in December, while later software and security updates patched iOS devices in January. Additional fixes for macOS High Sierra and older Mac operating systems were also pushed out last month.
Comments
Does Microsoft not bother with patches and disclose until there is a major breach?
Intel sat on their asses for months then put out “garbage” fixes because it became a PR problem.
Google frequently puts a fire under Microsoft to fix security issues (90 days) and they are right to do so...
IT people need to know about security vulnerabilities ASAP, to mitigate potential breaches, that goes doubly so for Government systems.
—
Peope are thinking about the NSA (etc.) exploits getting out in the wild. That’s another issue entirely.
Instead people should consider that Chinese hackers stole stealth fighter jet designs. What if that was NK and nukes?
This is must be a misquote. Can Intel’s management really be this stupid and naive. Never mind I just answered my own question. Bunch of effin retards.
why is this?
2nd, company’s (even the size of Microsoft and Apple) have limited resources. You can see this in Apple’s shift in declaring they wouldn’t force out their next innovation, and rather focus more resources on speed, reliability, security, etc.
In my opinion, those things are more important. Google gives 90 days before going public on vulnerabilities they discover. If Microsoft can’t fix their bugs (for example) that means there allocation of resources are out of wack with the needs of their users (including businesses). The problem is businesses (especially public ones) prioritized profits above all else. Google basically shames companies into doing what they should be doing anyways.
After 90 days, either Microsoft has ignored the problem (bug) or it might be a bigger problem to fix than they estimated, and didn’t allocate the proper resources. The same applies to Intel, etc.
After Google makes it public, it becomes a global problem and a enormous amount of resources are dedicated to solving it. Some IT people might be working at the firewall/router (or other intrusion prevention system), others might be working at the software level (think antivirus) to detect suspicious activity and block it.
Rather than go on...basically governments and businesses have many other things they can do, rather than just wait for a patch/fix etc.
With the case of Intel’s vulnerabilities, the government needed to know immediately; finding out at the same time as hackers was incredibly stupid and dangerous.
Security starts in actual designing their system and there they are close to pathetic: Android is a security joke
The government and other actors likely already knew for a long time.
In fact, it's highly probably that most intrusion occur on exploits that are hoarded by private and governmental entities for their own enrichment.
In many cases with hardware exploits, early reveal contrary to what happens with software doesn't allow easy mitigation but simply increases the breadth of attack vectors.
In this case, it is trying to mitigating it on the down low that revealed the existence of the issue to a wider audience, though it would have gotten out soon anyway.