More criticism has been levelled at Intel and its partners in patching up the huge Meltdown and Spectre flaws – including Apple and Microsoft – by US lawmakers, who aren’t entirely happy about the way the whole episode has played out. And more specifically, the manner in which disclosure was delayed and generally handled.
As the Register reports, four Republicans in the House of Representatives – who chair various subcommittees including Energy and Commerce – sent the same lengthy letter to the CEOs of Intel, as well as Amazon, AMD, Apple, ARM, Google and Microsoft, essentially grilling them on exactly how the embargo on these bugs was handled.
The missive explains what we already know: that the Meltdown and Spectre vulnerabilities were discovered last June, but the aforementioned tech companies kept it all to themselves while they worked on fixes, with a planned disclosure date of January 9 in place. Although as it turned out, news of the security bugs leaked a week early, just as the New Year kicked off.
Now, obviously enough, the bugs were kept secret to prevent nefarious types from attempting to exploit them while the complex patches were worked on – but the letter points out that the issue with keeping this to just these seven leading tech firms left the rest of the industry rather in the lurch. Particularly given the fact that the disclosure embargo was broken a week early.
What this meant is that the rest of the tech industry was left scrambling to get fixes established, having been caught completely off-guard.
As the letter puts it: “Some observers have raised questions about the effect of the embargo on the ability of companies not included in the original June 2017 disclosure to protect their own products and users, compared to those companies that were included.”
The letter then quotes one such (unnamed) company, which explained that “unfortunately, the strict embargo placed by Intel has significantly limited our ability to establish a comprehensive understanding of the potential impact”.
It further observes that the patches which have been rushed out have subsequently caused problems with the likes of antivirus software conflicts, and ‘freezing’ PCs (perhaps a reference to the stability issues encountered with some Intel processors, as we’ve seen of late).
For the latest on how to protect yourself from Spectre and Meltdown, read our comprehensive guide.
The lawmakers acknowledge the need for secrecy while patching big flaws like these, but the thrust of the letter seems to be that Intel’s approach didn’t work all that effectively in this case, and perhaps a wider net should have been cast in terms of the companies informed about the bugs (or that others in the industry should have got at least a little more warning).
The subcommittee representatives clearly aren’t happy with the way the whole incident has panned out, and conclude that: “We believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures.”
An Intel spokesperson has responded to say: “The security of our customers and their data is critical to us. We appreciate the questions from the Energy and Commerce Committee and welcome the opportunity to continue our dialogue with Congress on these important issues.
“In addition to our recent meetings with legislative staff members, we have been discussing with the Committee an in-person briefing, and we look forward to that meeting.”
Meanwhile, Intel continues to fire-fight problems with its own patches for Meltdown and Spectre, and earlier this week, the company warned folks not to install the fixes for now due to the aforementioned stability problems (which include issues with multiple reboots and generally ‘unpredictable’ system behavior).
- We’ve picked out the best laptops of 2018