Intel explains Meltdown and Spectre strategy to US authorities

23 Feb 2018

Intel building. Image: StockStudio/Shutterstock

Intel offers explanation for staying tight-lipped on Meltdown and Spectre.

The Meltdown and Spectre chip flaws have affected thousands of machines around the globe and the US authorities are among those who are searching for answers from Intel.

Many officials, both current and former, had asked why the company did not notify them until the news of the problems leaked to the general public.

The United States Computer Emergency Readiness Team (US-CERT) was not informed about the vulnerabilities until 3 January following initial reporting from The Register on the issues.

US-CERT issues national warnings about cybersecurity issues that could have major effects on the public and private sectors, so it is natural that the body was concerned it was not notified in advance, considering the severity of the flaws.

Intel and others explain

Alphabet informed Intel of the problems six months prior to the wider world learning about Meltdown and Spectre.

Intel, Alphabet and Apple sent letters in response to questions asked by US government representative Greg Walden in January. According to Intel’s letter, the company “disclosed information about Spectre and Meltdown only to companies who could assist Intel in enhancing the security of technology users”.

Intel is of the belief that the US authorities would not have been able to help with the problems or issue a useful response. “Moreover, even were any infrastructure equipment at risk, early disclosure of these vulnerabilities to maintainers of such equipment would not have enabled the more rapid development of mitigations, although it would have increased the risk of premature disclosure of these vulnerabilities.”

Intel said it came to this conclusion after examining the CERT Guide to Coordinated Vulnerability Disclosure, among other protocols set by security authorities. It also said it would be introducing “new hardware design changes in our products to address vulnerabilities such as Spectre and Meltdown”.

Alphabet extended deadline

As The Register pointed out, the other companies noted that the faults mostly lay with Intel, with Amazon saying it focused efforts on developing mitigation measures for the Linux OS and the Xen hypervisor.

Alphabet’s letter said it informed Intel and other chipmakers of the issues in June, giving the companies 90 days to fix the problems before disclosing them to the general public. It said it left the decision to inform government up to the firms, which is standard practice for its Project Zero security research team.

Microsoft told representatives that it let several antivirus software makers know about the flaws in advance to provide them with time to fix or avoid any compatibility issues. Chipmaker AMD said that Alphabet extended the disclosure day from the standard 90 on two occasions, first to 3 January and then to 9 January.

Intel building. Image: StockStudio/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com