Intel chip security flaws that affect all Macs, as well as Windows and Linux machines, still exist, say security researchers – despite the chipmaker’s claims to have fixed them. Similar flaws were found and patched in ARM processors, but there is no suggestion at this stage that further issues remain in these.
The ‘fundamental design flaw’ in Intel’s CPUs came to light last year, with the security vulnerabilities dubbed Spectre and Meltdown. They would allow an attacker to view data in kernel memory, which could span anything from cached documents to passwords …
Apple and Microsoft issued patches based on Intel fixes, but security researchers say they identified additional variants of the flaws which the chipmaker took six months to patch – and further unpatched vulnerabilities remain.
The New York Times reports that the researchers have now gone public as a result of concerns that Intel was misleading people.
Responsible security researchers first privately disclose their findings to the companies concerned, typically allowing them six months to fix the problem before they go public. This normally works well, providing hardware and software suppliers time to create patches, while the public is informed about the need to update.
But that wasn’t entirely true, according to Dutch researchers at Vrije Universiteit Amsterdam who discovered the vulnerabilities and first reported them to the tech giant in September 2018. The software patch meant to fix the processor problem addressed only some of the issues the researchers had found […]
The public message from Intel was “everything is fixed,” said Cristiano Giuffrida, a professor of computer science at Vrije Universiteit Amsterdam and one of the researchers who reported the vulnerabilities. “And we knew that was not accurate.”
The team cooperated with Intel for as long as it could, say the researchers, but eventually they decided that public disclosure was necessary, first to try to shame the company into acting, and second because details of the flaws were already beginning to leak, which would allow bad actors to create exploits.
But the Dutch researchers say Intel has been abusing the process […] They said the new patch issued on Tuesday still doesn’t fix another flaw they provided Intel in May.
Intel acknowledged that the May patch did not fix everything the researchers submitted, nor does Tuesday’s fix. But they “greatly reduce” the risk of attack, said Leigh Rosenwald, a spokeswoman for the company.
The full piece on the latest chapter on the story of the Intel chip security flaws is well worth reading.
The Dutch researchers had remained quiet for eight months about the problems they had discovered while Intel worked on the fix it released in May. Then when Intel realized the patch didn’t fix everything and asked them to remain quiet six more months, it also requested that the researchers alter a paper they had planned to present at a security conference to remove any mention of the unpatched vulnerabilities, they said. The researchers said they reluctantly agreed to comply because they didn’t want the flaws to become public knowledge without a fix.
“We had to redact the paper to cover for them so the world would not see how vulnerable things are,” said Kaveh Razavi, also a professor of computer science at Vrije Universiteit Amsterdam and part of the group that reported the vulnerabilities.
After they notified Intel about the unfixed flaws in advance of Tuesday’s patch release, the company asked the researchers to remain silent until it could produce another patch, the researchers said. But this time they refused.
“We think it’s time to simply tell the world that even now Intel hasn’t fixed the problem,” said Herbert Bos, a colleague of Mr. Giuffrida and Mr. Razavi at Vrije Universiteit Amsterdam […]
“Anybody can weaponize [the Intel chip security flaws]. And it’s worse if you don’t actually go public, because there will be people who can use this against users who are not actually protected,” Mr. Razavi said.
Photo: Shutterstock
