Intel Didn’t Warn US Government About CPU Security Flaws Until They Were Public
Intel didn’t provide US government officials with details on the Meltdown and Spectre CPU flaws until they leaked to the public last month. Reuters reports that US government officials have raised concerns that the flaws weren’t disclosed privately as they could have impacted national security. Intel didn’t report the flaws to US authorities because hackers hadn’t exploited the vulnerabilities yet. The Wall Street Journal previously reported that Intel notified a small number of customers about the flaws, including Chinese companies like Lenovo and Alibaba, before they were revealed publicly.
The approach may explain some of the confusion around Meltdown and Spectre as the flaws first came to light in a report from The Register in early January. Intel, Google Project Zero, Microsoft, and others were forced to disclose the vulnerabilities a day after The Register’s report, and initial statements from both AMD and Intel were confusing and misleading. Intel hadn’t informed the United States Computer Emergency Readiness Team (US-CERT), so there was no full warning about the security problems. Instead, CERT initially advised people to “fully remove” the flaws by replacing processors, but later revised its warning to simply patch systems.
Google’s Project Zero team originally reported the Spectre and Meltdown issues to Intel in June, and provided the company 90 days to fix the problems before publicly disclosing them. Reuters reports that Google extended the disclosure deadline from the standard 90 days, twice. The first extension was to January 3rd (the day after The Register report), and the second was January 9th. The unusual extensions for an unusual problem meant the second date (January 9th) was what the industry was working towards, and would have landed squarely in the middle of the Consumer Electronics Show.
Intel’s handling of the Spectre and Meltdown CPU vulnerabilities has been criticized widely over the past month. Intel issued a series of misleading statements, and then began to patch systems with buggy firmware updates that caused some system reboots. Microsoft was forced to issue an emergency Windows update to allow system administrators to reverse Intel’s patches. Intel has now started patching modern machines again this week, nearly nine months after the security flaws were first reported to the company. Intel is now facing at least 32 lawsuits over the Meltdown and Spectre vulnerabilities, alongside allegations of insider trading related to Intel CEO Brian Krzanich’s stock sales.