Intel failed to warn US government about Meltdown and Spectre flaws before going public
Intel is facing criticism from the US government after it was revealed that the company did not inform cyber security officials about the Meltdown and Spectre vulnerabilities even though they had been known about for months.
Reports about the Meltdown and Spectre flaws were leaked by the Register, and it wasn't until this information hit the public domain that Intel decided to speak to US-CERT about the matter. The lack of communication from the chip-maker was revealed in a series of letters sent by technology firms to lawmakers this week.
- Microsoft gives sysadmins Meltdown and Spectre detection in Windows Analytics
- Tests show how much Meltdown fixes will hit Linux system performance
- Intel releases updated Spectre and Meltdown patches for Skylake systems
- Intel releases benchmark results detailing Meltdown patch performance slowdown
It was a full six months after Google's parent company, Alphabet, told Intel about the security problems, but the chip-maker felt that because hackers were yet to exploit the vulnerabilities, there was no need to alert authorities.
Reuters says that it has seen letters sent by Intel, Alphabet and Apple which were sent in response to questions from House Energy and Commerce Committee chair, and Oregon Republican Representative Greg Walden.
Alphabet reiterates what we already knew about Intel being advised of the problems via Google's Project Zero back in June. Intel's letter says that there was "no indication that any of these vulnerabilities had been exploited by malicious actors" and therefore kept quiet about them. As per Project Zero policies, Google had also agreed not to go public with the findings.
Intel says that it spoke with other tech firms who use its chips, but admitted that it hadn't performed any analysis into whether Meltdown and Spectre posed a threat to critical infrastructure.